Univention Bugzilla – Bug 30425
Password change: RDP to Windows TS fails, pam_ccreds cache is not updated, pam_mount uses old password
Last modified: 2023-06-28 10:33:33 CEST
A user has to change the password on the next login. If that user logs on a UCC RDP Session lightdm asks for the new password, but the session to the windows server fails. lightdm saves the users password to allow /usr/share/xsessions/RDP to pass the password as a parameter to the rdpclient. But this password is saved before the password change.
The temporarily-saved password in /tmp/passwd isn't updated in that case. This needs to be handled in the PAM configuration or the script, which stores the password. As a workaround a login to a different session script can be performed.
postponed to 1.1, that only affects RDP sessions The problem is that pam_krb5.so lets the kerberos library handle the actual password change, even if defer_pwchange is activated (as in UCC). Therefore the new password never appears in pam_krb5.so and can not be internally stored. Also, the password change is done in the authentication part (auth ... pam_krb5.so), not in common-password. Normally, the pam module stores the new password in PAM_AUTHTOK after a password change and pam_runasroot exports this password. pam_runasroot.c: retval = pam_get_item ( pamh, PAM_AUTHTOK, (const void **) &password ); ... setenv ( "PASSWD", password, 1 ); ... But with pam_kerb5.so the new password is not saved in PAM_AUTHTOK. I have added a bit of debugging in pam_krb5.so (ssh login with a user that has to change password): libpam-krb5-4.5/auth.c: @@ -710,6 +710,7 @@ goto done; } pam_get_item(args->pamh, authtok, (PAM_CONST void **) &pass); + putil_debug(args, "password %s", pass); } /* @@ -744,15 +746,20 @@ } } if (!do_only_alt) { + putil_debug(args, "k5login_password_auth|krb5_get_init_creds_password"); if (args->config->search_k5login) { + putil_debug(args, "k5login_password_auth"); success = k5login_password_auth(args, *creds, opts, service, pass, &retval); } else { + putil_debug(args, "krb5_get_init_creds_password"); retval = krb5_get_init_creds_password(ctx->context, *creds, ctx->princ, pass, pamk5_prompter_krb5, args, 0, (char *) service, opts); + putil_debug(args, "krb5_get_init_creds_password end"); success = (retval == 0) ? PAM_SUCCESS : PAM_AUTH_ERR; } + putil_debug(args, "success: %d", success); } /* @@ -778,6 +788,7 @@ * we failed, make sure retval is not 0 out of paranoia, since later * on all we care about is retval. */ + putil_debug(args, "password %s", pass); if (success == PAM_SUCCESS) break; else if (retval == 0) /var/log/auth.log: pam_krb5(sshd:auth): pam_sm_authenticate: entry (nonull) pam_krb5(sshd:auth): (user test2) defer_pwchange 0 pam_krb5(sshd:auth): (user test2) attempting authentication as test2@TEST.FB ==> PASSWORD PROMPT pam_krb5(sshd:auth): (user test2) password univention pam_krb5(sshd:auth): (user test2) k5login_password_auth|krb5_get_init_creds_password pam_krb5(sshd:auth): (user test2) krb5_get_init_creds_password ==> PASSWORD CHANGE pam_krb5(sshd:auth): (user test2) krb5_get_init_creds_password end pam_krb5(sshd:auth): (user test2) success: 0 pam_krb5(sshd:auth): (user test2) password univention pam_krb5(sshd:auth): (user test2) pamk5_password_auth 0 pam_krb5(sshd:auth): user test2 authenticated as test2@TEST.FB pam_krb5(sshd:auth): pam_sm_authenticate: exit (success) PAM-runasroot[23793]: continuing as normal user PAM-runasroot[23793]: continuing as normal user ... It seems, that the password change is done in krb5_get_init_creds_password from libkrb5.so.26. So i don't see how to get the password here, maybe there is a way in lightdm or the greeter.
*** Bug 32077 has been marked as a duplicate of this bug. ***
Still the same... libpam-krb5-4.6/auth.c:password_auth calls "krb5_get_init_creds_password" from libkrb5.so (libkrb5-26-heimdal) the authenticate/handle password change. But the new password is never returned to libpam-krb5 an therefore can't be stored in AUTHTOK.
While there's no immediate fix possible, I'm moving it to errata for now: We should raise this issue upstream, maybe a workaround can be implemented in LightDM.
See also Bug 35333, this problem causes multiple issue's (rdp login -> pam_runasroot.so save_pass, pam_ccreds, pam_mount) because all subsequent pam modules use a wrong (the old) password. Maybe we could export the new password in heimdal->krb5_get_init_creds_password() and than set the PAM_AUTHTOK pam_krb5->password_auth() to this value?
Remove errata status. If it is critical in any environment, please comment this issue.
UCC is EoL