Bug 36319 - Change of expired password via UMC not possible anymore
Change of expired password via UMC not possible anymore
Status: CLOSED DUPLICATE of bug 35847
Product: UCS
Classification: Unclassified
Component: UMC (Generic)
UCS 3.2
Other Linux
: P5 normal (vote)
: UCS 3.2-3-errata
Assigned To: Arvid Requate
Florian Best
Depends on:
Blocks: 36215
  Show dependency treegraph
Reported: 2014-10-27 18:14 CET by Arvid Requate
Modified: 2014-11-10 11:31 CET (History)
4 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2014-10-27 18:14:58 CET
UMC doesn't allow interactive password change in case a user password is expired (due to krb5PasswordEnd). Maybe the handling of PAM_NEW_AUTHTOK_REQD needs to be done also in case the authentication failed.

+++ This bug was initially created as a clone of Bug #35985 +++
Comment 1 Arvid Requate univentionstaff 2014-10-28 17:34:37 CET
Fixed. Details of this multi-tiered issue:

* If Heimdal detects an expired password during authentication (via krb5_get_init_creds_password) it checks if a callback function for conversation with the client has been passed. If it has one, then it attempts to initiate a password change directly. If this fails, it returns the error code KRB5KRB_ERR_GENERIC, which masks the original error code ('password expired').

* Since pam_krb5 always passes a conversation handler to the krb5_get_init_creds_password function, it cannot detect the 'password expired' return code. Also, this would only have an effect if the "defer_pwchange" option had been set in the pam stack of univention-managment-console, which currently isn't the case. One could argue that the handling of "defer_pwchange" should be fixed in pam_krb5.

* UMC: The conversation function supplied by the UMC authentication module currently is not interactive in the sense that it would directly send the password change dialog back to the user interface and return the result back to Heimdal during the initial authentication call. It only passes the user password and checks the return code. Since the return code is too generic, and negative, it failed to do the detect the 'password expired'.

* As a workaround the UMC authentication module now reads the standard messages obtained from the Heimdal conversation and reacts accordingly.

Advisory: 2014-10-28-univention-management-console.yaml
Comment 2 Florian Best univentionstaff 2014-11-05 22:41:29 CET
I made a small adjustment in svn55412 to absolutely make sure no authentication bypass is possible.
Comment 3 Florian Best univentionstaff 2014-11-06 10:45:38 CET
Currently no change of password is possible:

06.11.14 10:41:40.760  AUTH        ( INFO    ) : PAM: trying to authenticate a
06.11.14 10:41:40.770  AUTH        ( ERROR   ) : PAM: acct_mgmt error: ('Authentifizierungstoken ist nicht mehr g?ltig; neues erforderlich', 12)

Nov  6 10:41:40 ucsmaster python2.6: pam_unix(univention-management-console:account): expired password for user a (password aged)
Comment 4 Arvid Requate univentionstaff 2014-11-06 13:36:40 CET
Comment 3 refers to a problem in the case where POSIX authentication still works but pam acct phase detects that something has expired. I added a fix for this and provided a similar fix for the UCS 4.0-0 Bug 35847.

To improve user expirence substantially in this area and in all possible scenarios (e.g. samba4, samba3, non-samba) some other factors need to be taken into account which require changes to other packages.
Since UCS 4.0-0 is planned to be released pretty soon, the errata3.2-3 source code changes made for this bug have been reverted. The issue will be addressed in UCS 4.0 instead, so I tag this bug as duplicate.

*** This bug has been marked as a duplicate of bug 35847 ***
Comment 5 Florian Best univentionstaff 2014-11-10 11:30:23 CET
OK, all changes reverted.