Univention Bugzilla – Bug 48684
Changing password ignores pam_cracklib
Last modified: 2020-09-18 13:32:54 CEST
When changing the password via the UMC login (or self service) and pam_cracklib says the password is not complex enough, the password is nevertheless half-changed by pam_krb5 (don't know how and why, seems strange, but happens on a customer environment). I could track down the reason: UMC runs as root, pam_cracklib allows to change the password for root *always*, so the checks aren't evaluated. Fix (manpage says): enforce_for_root The module will return error on failed check also if the user changing the password is root. This option is off by default which means that just the message about the failed check is printed but root can change the password anyway. Note that root is not asked for an old password so the checks that compare the old and new password are not performed. (See also: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=580357)
I adjusted the pam configuration accordingly. univention-management-console (10.0.6-19) 34e9cbc3096b | Bug #48684: fix pam_cracklib as root univention-management-console.yaml 78b389e05832 | YAML Bug #48684 Merge to UCS 4.4: univention-management-console (11.0.2-1) 5b74ab4f185e | Bug #48684: fix pam_cracklib as root
So, triggering this causes the following log message with debug level 4: AUTH (INFO) : PAM says: 'Schlechtes Passwort: ist dem alten zu \xc3\xa4hnlich' AUTH (INFO) : PAM says: 'BAD PASSWORD: is too similar to the old one' Happened when changing Password e.g. from "Univention123§" to "Univention234§". The error that the userPassword attribute is unchanged, while krb5Key, etc are all updated is a different thing. I will create another bug as soon as I know what's going on exactly.
We should revert the changes of Bug #46131 in the test cases, if there were any.
I think these tests need to be adjusted: http://jenkins.knut.univention.de:8080/job/UCS-4.4/job/UCS-4.4-0/job/AutotestJoin/lastCompletedBuild/SambaVersion=s4,Systemrolle=master/testReport/60_umc/07_expired_password/test/ http://jenkins.knut.univention.de:8080/job/UCS-4.4/job/UCS-4.4-0/job/AutotestJoin/lastCompletedBuild/SambaVersion=s4,Systemrolle=master/testReport/60_umc/105_change_expired_password_fail_reason/test/ For some reason "105_change_expired_password_fail_reason" only fails with samba installed?
(In reply to Jürn Brodersen from comment #4) > I think these tests need to be adjusted: > http://jenkins.knut.univention.de:8080/job/UCS-4.4/job/UCS-4.4-0/job/ > AutotestJoin/lastCompletedBuild/SambaVersion=s4,Systemrolle=master/ > testReport/60_umc/07_expired_password/test/ > http://jenkins.knut.univention.de:8080/job/UCS-4.4/job/UCS-4.4-0/job/ > AutotestJoin/lastCompletedBuild/SambaVersion=s4,Systemrolle=master/ > testReport/60_umc/105_change_expired_password_fail_reason/test/ Yes, the changes were done via Bug #46126. > For some reason "105_change_expired_password_fail_reason" only fails with > samba installed? Will have a look next week. The test case doesn't fail currently, right?
QA: OK: before patch: ( INFO ) : PAM says: 'Schlechtes Passwort: ist dem alten zu \xc3\xa4hnlich' ( INFO ) : Password change for 'u1' was successful after patch: ( INFO ) : PAM says: 'Schlechtes Passwort: ist dem alten zu \xc3\xa4hnlich' ( WARN ) : Changing password failed (('Fehler beim \xc3\x84ndern des Authentifizierungstoken', 20)). Prompts: [('Current Kerberos password: ', 1), ('Your password will expire at Mon Mar 4 01:00:00 2019\n', 4), ('Geben Sie ein neues Passwort ein: ', 1), ('Schlechtes Passwort: ist dem alten zu \xc3\xa4hnlich', 3)] OK: YAML OK: Merge
Tests are also adjusted now.
<http://errata.software-univention.de/ucs/4.3/450.html>