Bug 30838 – strange ssh pam password change behaviour

Bug 30838 - strange ssh pam password change behaviour


Summary:	strange ssh pam password change behaviour

Status:	RESOLVED WONTFIX

Product:	UCS
Classification:	Unclassified
Component:	PAM
Version:	UCS 3.1
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	UCS maintainers
QA Contact:

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2013-03-20 15:25 CET by Arvid Requate
Modified:	2018-04-13 13:42 CEST (History)
CC List:	3 users (show)

See Also:	44582
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Arvid Requate

2013-03-20 15:25:43 CET

The behaviour for pam password change against ssh (in a Samba4 domain) is a bit strange:

1. It differs between initial created user and repeated password changes
2. The repeated password change dialog has some pretty non-intuitive behaviour. Looks like first pam_unix changes the password and then pam_krb5 comes and says "Hey, you got to cahnge you password!" -- but then it does nothing.

It works in the end, but usability is a bit strange:

## Step 1: create a user who needs to change the password on first login
root@slave12:~# udm users/user create --position "cn=users,$ldap_base" --set username=user7 --set lastname=univention --set password=Univention.99 --set pwdChangeNextLogin=1
## Allow ssh login for him
root@slave12:~# ucr set auth/sshd/user/user7=yes
Create auth/sshd/user/user8
File: /etc/security/access-sshd.conf

## Step 2: first login: OK
arequate@lagra:~$ ssh 10.200.8.12 -l user7   ## try a login
Password: <Univention.99>
You are required to change your password immediately (password aged)
Current Kerberos password: <Univention.99>
Your password will expire at Thu Jan  1 01:00:00 1970

Password: <q1w2e3R$>
Retype new password: <q1w2e3R$>
X11 forwarding request failed on channel 0
user7@slave12:~$
user7@slave12:~$ Abgemeldet
Connection to 10.200.8.12 closed.


## Step 3: user needs to change the password on next login again
root@master10:~#  udm users/user modify --dn uid=user7,cn=users,dc=arucs31i0,dc=qa --set pwdChangeNextLogin=1


## Setup 4: next password change: Strange..
arequate@lagra:~$ ssh 10.200.8.12 -l user7
Password: <q1w2e3R$>
Your password will expire at Thu Jan  1 01:00:00 1970

Changing password
New password: : <Univention.99>
Repeat new password: : <Univention.99>
Success: Password changed

You are required to change your password immediately (password aged)
Current Kerberos password: <IT DOESN'T MATTER WHAT YOU ENTER HERE>
Password: <Univention.99>
X11 forwarding request failed on channel 0
Last login: Wed Feb 13 05:40:29 2013 from lagra.knut.univention.de
user7@slave12:~$

+++ This bug was initially created as a clone of Bug #29438 +++

Comment 1 Stefan Gohmann

2017-06-16 20:36:00 CEST

This issue has been filed against UCS 3. UCS 3 is out of the normal maintenance and many UCS components have vastly changed in UCS 4.

If this issue is still valid, please change the version to a newer UCS version otherwise this issue will be automatically closed in the next weeks.

Comment 2 Stefan Gohmann

2017-08-08 07:09:36 CEST

This issue has been filed against UCS 3.1.

UCS 3.1 is out of maintenance and many UCS components have vastly changed in later releases. Thus, this issue is now being closed.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen this issue. In this case please provide detailed information on how this issue is affecting you.