Univention Bugzilla – Full Text Bug Listing |
Summary: | Detection why password changing fails isn't working anymore | ||
---|---|---|---|
Product: | UCS | Reporter: | Florian Best <best> |
Component: | UMC (Generic) | Assignee: | Florian Best <best> |
Status: | CLOSED FIXED | QA Contact: | Felix Botner <botner> |
Severity: | normal | ||
Priority: | P5 | CC: | gohmann, stoeckigt, ulmer |
Version: | UCS 4.1 | ||
Target Milestone: | UCS 4.2-0-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
See Also: |
https://forge.univention.org/bugzilla/show_bug.cgi?id=36215 https://forge.univention.org/bugzilla/show_bug.cgi?id=38082 https://forge.univention.org/bugzilla/show_bug.cgi?id=43859 |
||
What kind of report is it?: | Bug Report | What type of bug is this?: | 5: Major Usability: Impairs usability in key scenarios |
Who will be affected by this bug?: | 3: Will affect average number of installed domains | How will those affected feel about the bug?: | 2: A Pain – users won’t like this once they notice it |
User Pain: | 0.171 | Enterprise Customer affected?: | Yes |
School Customer affected?: | Yes | ISV affected?: | |
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | 2016062921000116, 2016091321000622 | Bug group (optional): | Error handling, External feedback |
Max CVSS v3 score: | |||
Bug Depends on: | |||
Bug Blocks: | 36215 | ||
Attachments: | Screenshot |
Description
Florian Best
2016-07-13 13:29:44 CEST
The problem is that the output of pam_krb5 changed. We are parsing raw strings. Created attachment 7799 [details]
Screenshot
Hm, the screenshot shows more information. Nevertheless we should integrate the missing/changed prompts so that a more human-readable message is shown again.
And we should write a test case which covers every case (too-short, too-simple, kerberos (samba / ad), unix).
': Password too short, password must be at least 6 characters long.' ': Password too short, password must be at least 8 characters long.' ': Password does not meet complexity requirements' 'Schlechtes Passwort: Es basiert auf einem (umgekehrten) W?rterbucheintrag' 'Schlechtes Passwort: Es basiert auf einem W?rterbucheintrag' 'Schlechtes Passwort: Es ist VIEL zu kurz' 'Schlechtes Passwort: Es ist zu kurz' 'Schlechtes Passwort: ist dem alten zu ?hnlich' 'Schlechtes Passwort: ist ein Palindrome' 'Schlechtes Passwort: ist zu einfach' 'Schlechtes Passwort: wurde gedreht' 'Unable to reach any changepw server in realm FOO.BAR' 01.02.17 11:57:05.827 AUTH ( INFO ) : PAM says: 'Your password will expire at Thu Jan 1 01:00:00 1970\n' 01.02.17 11:57:05.827 AUTH ( INFO ) : PAM says: 'Changing password' 01.02.17 11:57:05.870 AUTH ( INFO ) : PAM says: 'Error: Password does not meet complexity requirements\n' This causes that the UMC displays a error message instead of changing/prompting for a new password. This bug affects also the Self-Service "password change" functionality, as it uses the UMC to change the password. # grep account /etc/pam.d/univention-management-console → reveals that we do pam_acct_mgmt with pam_unix.so, pam_ldap.so, pam_krb5.so # dpkg -S pam_unix.so pam_krb5.so pam_ldap.so libpam-modules:amd64: /lib/x86_64-linux-gnu/security/pam_unix.so libpam-heimdal:amd64: /lib/x86_64-linux-gnu/security/pam_krb5.so libpam-ldap:amd64: /lib/x86_64-linux-gnu/security/pam_ldap.so # ucr set repository/online/sources=yes # apt-get source libpam-ldap libpam-heimdal libpam-modules The strings for pam_unix are translated via gettext, they can be found via: rgrep '_("' pam-* The german translations are in pam-*/po/de.po. → We should find a way to run PAM with locale C instead of the system locale so that this also works with a french UCS system. The strings for pam_ldap can be extracted via (they seem untranslated): # tar xvzf libpam-ldap-*/*tar.gz # grep -A15 const.*policy_error_table pam_ldap-*/pam_ldap.c # grep -C4 _conv_sendmsg pam_ldap-*/pam_ldap.c | grep '"' The strings for pam_krb5 can be extracted via: # rgrep -C4 pamk5_conv libpam-krb5-*/ | grep '"' → This seems to be incomplete as pam_krb5 speaks with another library (heimdal-kdc) # apt-get source heimdal-kdc # rgrep 'N_(' heimdal-*/lib/krb5/changepw.c → This seems to be again incomplete as change_password_loop connects with a kerberos server. → The kerberos server can probably be Samba OR Active Directory - if the UCS system is configured as AD Member?! → So we must also collect the error messages from both of these components. How to do this? Active Directory can be ignored as long as Bug #38082 is not fixed. Samba4 KDC: # apt-get source samba # rgrep -A6 reject_string samba-*/source4/kdc/ | grep '"' Heimdal: (/usr/lib/heimdal-servers/kpasswdd) → uses kadm5_check_password_quality() AND error messages from UDM! # grep -C3 reply_priv heimdal-*/kpasswd/kpasswdd.c | grep '"' # grep '"' heimdal-*/lib/kadm5/password_quality.c What about Samba3? I extracted the following error messages: Samba 4 KDC: "Password too short, password must be at least %d characters long." "Password too short" "Password does not meet complexity requirements" "Password is already in password history. New password must not match any of your %d previous passwords." "Password is already in password history" "Password change rejected, password changes may not be permitted on this account, or the minimum password age may not have elapsed." pam_unix: "Bad: new password must be different than the old one" "Bad: new password cannot be a palindrome" "Bad: new and old password must differ by more than just case" "Bad: new and old password are too similar" "Bad: new password is too simple" "Bad: new password is just a wrapped version of the old one" "You must choose a longer password" "Password has been already used. Choose another." "You must wait longer to change your password" "is the same as the old one" "is a palindrome" "case changes only" "is too similar to the old one" "is too simple" "is rotated" "not enough character classes" "contains too many same characters consecutively" "contains too long of a monotonic character sequence" "contains the user name in some form" "Password has been already used. Choose another." "Password has been already used." pam_ldap: "Insufficient Password Quality", "Password Too Short", "Password Too Young", "Password Insufficient" pam_krb5: "Unable to reach any changepw server in realm %s" Heimal KDC: "Password already used" "Password is too short" "The passwort didn't pass quality check" "Password too short" "Password doesn't meet complexity requirement.\n" "Add more characters from at least %d of the\nfollowing classes:\n" "1. English uppercase characters (A through Z)\n" "2. English lowercase characters (a through z)\n" "3. Base 10 digits (0 through 9)\n" "4. Nonalphanumeric characters (e.g., !, $, #, %%)" ucs-test (7.0.21-22): r79244 | Bug #41786: error message differs for samba4 / plain heimdal r79239 | Bug #41786: fix error message r79070 | Bug #43859: Bug #41786: fix filename extension r79064 | Bug #43859: Bug #41786: add missing executable flag r79062 | Bug #43859: Bug #41786: add 60_umc/104_expired_password r78992 | Bug #41786: add missing trailing dot univention-management-console.yaml: r78976 | Bug #41786: parse more PAM error messages when changing password fails univention-management-console (9.0.80-11): r79243 | Bug #41786: use the language of the currently logged in user r79238 | Bug #41786: fix duplicated groupdict r78976 | Bug #41786: parse more PAM error messages when changing password fails OK - the reason for the failed password change is displayed in UMC (although in english -> Bug #Univention) OK - univention-management-console.yaml *** Bug 45102 has been marked as a duplicate of this bug. *** *** Bug 44584 has been marked as a duplicate of this bug. *** |