Description of problem:
The 'vlock' command no longer performs PAM account management (authorization checking) or credential reinitialization.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. run 'vlock' or 'vlock -a'
After checking the user's password,
After calling pam_authenticate(), vlock should be calling pam_acct_mgmt(), and if that fails, rejecting the unlock attempt. If it succeeds, it should be calling pam_setcred() with the PAM_REINITIALIZE_CRED flag.
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.
(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)
More information and reason for this action is here:
A possible workaround is to create a file /etc/pam.d/vlock with something like
auth include system-auth
account required pam_permit.so
(this is taken from vlock-1.3-33.fc18).
That'd take care of part of it (as in bug #913309), but without code changes it's not going to detect things like passwords having expired or (depending on how it's done) accounts being locked.
vlock on F19 for me just goes nuts saying invalid password when ran until the workaround in comment 2 and now it works as expected for me, at least it the case of "Normal user, valid password, ran vlock, unlocked." Don't know about the other use cases.
Created attachment 823465 [details]
Nalin, I'm not familiar with PAM API, would the patch above suffice?
The formatting for the error reporting looks a bit weird, but yes, it roughly matches what the old vlock did, and should work for our purposes.
One thing that the PAM docs (pam_acct_mgmt(3)) recommend is calling pam_chauthtok() if pam_acct_mgmt() returns PAM_NEW_AUTHTOK_REQD and the application has the ability to walk the user through changing their password, but that's less urgent -- the old vlock didn't do that, either.
Created attachment 826385 [details]
You can test this patch instead.
A word of warning: depending on the authentication scheme, vlock may or may not need extra credentials to do account and password management.
It also has the desired effect. Using PAM_REFRESH_CRED instead of PAM_REINITIALIZE_CRED still triggers the ccache refresh.
(In reply to Nalin Dahyabhai from comment #9)
> It also has the desired effect. Using PAM_REFRESH_CRED instead of
> PAM_REINITIALIZE_CRED still triggers the ccache refresh.
The difference between PAM_REFRESH_CRED and PAM_REINITIALIZE_CRED is not documented clear enough, so authors of various pam modules interpret these flags as they like.
Would you recommend using PAM_REINITIALIZE_CRED instead?
(In reply to Dmitry V. Levin from comment #10)
> (In reply to Nalin Dahyabhai from comment #9)
> > It also has the desired effect. Using PAM_REFRESH_CRED instead of
> > PAM_REINITIALIZE_CRED still triggers the ccache refresh.
> The difference between PAM_REFRESH_CRED and PAM_REINITIALIZE_CRED is not
> documented clear enough, so authors of various pam modules interpret these
> flags as they like.
> Would you recommend using PAM_REINITIALIZE_CRED instead?
Yes, but mostly because it's what we used in earlier releases. I don't see a much of a practical difference myself. FWIW a spot-check on the pam_krb5 that we include and Russ's show that both implementations treat both flags as equivalent.
kbd-1.15.5-12.fc20 has been submitted as an update for Fedora 20.
kbd-1.15.5-9.fc19 has been submitted as an update for Fedora 19.
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing kbd-1.15.5-12.fc20'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).
kbd-1.15.5-9.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
kbd-1.15.5-12.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.