Univention Bugzilla – Bug 51903
UCS user authentication takes place after the "PW expired" check
Last modified: 2020-10-07 14:32:02 CEST
univention-app info UCS: 4.4-5 errata712 Installed: adconnector=12.0 itslearning=3.2 self-service=4.0 self-service-backend=4.0 ucs-to-school-transformer=1.3.2 ucsschool=4.4 v6 ucssc Upgradable: ucsschool-kelvin-rest-api Despite the incorrect entry of the password, the message "Your password has expired. Please change your password and log in again" is displayed when a user logs in for whom the flag "User must change the password at the next login" is set . If the password is entered incorrectly, the user should receive a message stating that the login data is incorrect.
This only applies to the SAML login and was introduced in git:174254e04b288cee5f7799adb4ddfbce4b536573 (Bug #43384)
I don't see a security risk here. It is a usability issue, though.
(In reply to Ingo Steuwer from comment #3) > I don't see a security risk here. It is a usability issue, though. With the knowledge of a username one can find out if the user is expired or disabled, without knowing its password. Without any knowledge, one can brute force for usernames which are expired or disabled.
r19153 - simplesamlphp added simplesamlphp/4.4-0-0-ucs/1.16.3-1+deb10u1-errata4.4-6/06_extended_error.quilt to expose the LDAP extended error message 58a608cc20c0d412a95932c7097c65ebdcd47037 - simplesamlphp.yaml f6380357f1344b9dc8b3b38585e66a910342a26f - univention-saml in case of WRONGUSERPASS check for password change only if extended error indicates password/account has expired 400b07f12888a7cfd8fdfb4df50b08ecbce8ee14 - univention-saml.yaml 8488effd72ff97027a0a196cf2f4cce68fd3f70e - ucs-test extended 10_saml_password_expire and 11_saml_user_expire QA please re-open after successful QA for merge to 5.0
Test failed on s4 member since creation, because the login was checked before the new test user was added in the masters samba database. 1069894f34fff516a9b02dff7ec185ab8bfd677b seems to have fixed this for now See Bug #52145
What I tested: SAML/UMC login with/without Samba: False password is detected, User is not instructed to change the password OK SAML/UMC login with user from AD domain: False password is detected, User is not instructed to change the password OK Tests: OK YAML: OK VERIFIED Reopen: Create merge-request for 5.0
Merge Request: https://git.knut.univention.de/univention/ucs/-/merge_requests/4 f6380357f1344b9dc8b3b38585e66a910342a26f 8488effd72ff97027a0a196cf2f4cce68fd3f70e 1069894f34fff516a9b02dff7ec185ab8bfd677b patch: r19158, package built in UCS5
Ok merge request created, simplesamlphp built in ucs5
<https://errata.software-univention.de/#/?erratum=4.4x766> <https://errata.software-univention.de/#/?erratum=4.4x767>