Univention Bugzilla – Bug 36319
Change of expired password via UMC not possible anymore
Last modified: 2014-11-10 11:31:23 CET
UMC doesn't allow interactive password change in case a user password is expired (due to krb5PasswordEnd). Maybe the handling of PAM_NEW_AUTHTOK_REQD needs to be done also in case the authentication failed. +++ This bug was initially created as a clone of Bug #35985 +++
Fixed. Details of this multi-tiered issue: * If Heimdal detects an expired password during authentication (via krb5_get_init_creds_password) it checks if a callback function for conversation with the client has been passed. If it has one, then it attempts to initiate a password change directly. If this fails, it returns the error code KRB5KRB_ERR_GENERIC, which masks the original error code ('password expired'). * Since pam_krb5 always passes a conversation handler to the krb5_get_init_creds_password function, it cannot detect the 'password expired' return code. Also, this would only have an effect if the "defer_pwchange" option had been set in the pam stack of univention-managment-console, which currently isn't the case. One could argue that the handling of "defer_pwchange" should be fixed in pam_krb5. * UMC: The conversation function supplied by the UMC authentication module currently is not interactive in the sense that it would directly send the password change dialog back to the user interface and return the result back to Heimdal during the initial authentication call. It only passes the user password and checks the return code. Since the return code is too generic, and negative, it failed to do the detect the 'password expired'. * As a workaround the UMC authentication module now reads the standard messages obtained from the Heimdal conversation and reacts accordingly. Advisory: 2014-10-28-univention-management-console.yaml
I made a small adjustment in svn55412 to absolutely make sure no authentication bypass is possible.
Currently no change of password is possible: umc-server.log 06.11.14 10:41:40.760 AUTH ( INFO ) : PAM: trying to authenticate a 06.11.14 10:41:40.770 AUTH ( ERROR ) : PAM: acct_mgmt error: ('Authentifizierungstoken ist nicht mehr g?ltig; neues erforderlich', 12) auth.log Nov 6 10:41:40 ucsmaster python2.6: pam_unix(univention-management-console:account): expired password for user a (password aged)
Comment 3 refers to a problem in the case where POSIX authentication still works but pam acct phase detects that something has expired. I added a fix for this and provided a similar fix for the UCS 4.0-0 Bug 35847. To improve user expirence substantially in this area and in all possible scenarios (e.g. samba4, samba3, non-samba) some other factors need to be taken into account which require changes to other packages. Since UCS 4.0-0 is planned to be released pretty soon, the errata3.2-3 source code changes made for this bug have been reverted. The issue will be addressed in UCS 4.0 instead, so I tag this bug as duplicate. *** This bug has been marked as a duplicate of bug 35847 ***
OK, all changes reverted.