Bugzilla – Full Text Bug Listing
|Summary:||Web Access authentication does not handle expired password pam prompts|
|Product:||ThinLinc||Reporter:||Henrik Andersson <email@example.com>|
|Component:||Web Access||Assignee:||Pierre Ossman <firstname.lastname@example.org>|
|Status:||CLOSED FIXED||QA Contact:||Bugzilla mail exporter <email@example.com>|
* Users should be able to go through with the password change process when their password is expired
|Bug Depends on:||5086|
|Attachments:||Call pam_chauthtok if necessary|
Trying to login using an account with expired password gives me following response: You are required to change your password immediately (root enforced) Username: [cendio ] Password: [ ] From there I can choose to login using another user.
Also tested against 4.1.1 and it is not a regression.
More information is needed: which platform is this? What kind of sshd configuration do you have? I failed to setup my CentOS 6 machine to support this. I configured the account as: # chage astrand3 Changing the aging information for astrand3 Enter the new value, or press ENTER for the default Minimum Password Age : Maximum Password Age : 180 Last Password Change (YYYY-MM-DD) [2013-06-01]: 2013-06-01 Password Expiration Warning : 10 Password Inactive : 10 Account Expiration Date (YYYY-MM-DD) [2014-06-01]: 2014-06-01 Ran authconfig-gtk to get a sane configuration. Then, trying to login: $ ssh astrand3@scilla Password: Your account has expired; please contact your system administrator astrand3@scilla's password: Connection closed by 10.47.1.211
(In reply to comment #2) > More information is needed: which platform is this? What kind of sshd > configuration do you have? > Produced on a Centos 6 system default installation (SELinux enabled). - Configured PasswordAuthentication=no (sshd_config) to disable passwd support in sshd so that it is passed further to pam. - Disable the user account: chage -d 0 <user> I believe that the extra message 'You are required to change your password immediately (root enforced)' is the source to the problem, before the actual password prompt.
The code works as intended, but currently there's no support for interactive PAM conversations except in the "authentication" step. As I understand it, the "pamtester" helper does not support this either.
Created an attachment (id=676) [details] Call pam_chauthtok if necessary With the attached, password change via the HTML5 client is possible. Still some rough edges, though: Needs to login again after change, plus some info lines are missing.
Note that the discussion on this bug so far has been about enforced password change. There is also the case where you merely get a warning. In that case the attached patch does not solve the issue. Example configuration to get the warning: [ossman@ossman]$ sudo chage tltest [sudo] password for ossman: Changing the aging information for tltest Enter the new value, or press ENTER for the default Minimum Password Age : Maximum Password Age : 30 Last Password Change (YYYY-MM-DD) [2015-11-27]: 2016-08-01 Password Expiration Warning : 20 Password Inactive [-1]: Account Expiration Date (YYYY-MM-DD) [-1]: ~ [ossman@ossman]$ ssh tltest@localhost tltest@localhost's password: Warning: your password will expire in 14 days Last login: Mon Apr 25 11:02:45 2016 from ::1 [tltest@ossman ~]$ logout Connection to localhost closed.
This is the error from tlwebaccess: 2016-08-17 10:43:51 ERROR tlwebaccess: [::1] Error communicating with PAM subsystem for user u'tltest': [Errno 6] No such device or address: '/var/run/thinlinc/webaccess/pamtester-1ba19c908cd40188d76dbb6841d8a073fdfadb15.in' And this is how pamtester behaves: $ sudo ./src/pamtester --echofirst -v thinlinc tltest authenticate acct_mgmt [sudo] password for ossman: Sorry, try again. [sudo] password for ossman: pamtester: invoking pam_start(thinlinc, tltest, ...) pamtester: performing operation - authenticate Password: pamtester: successfully authenticated:linux99 pamtester: performing operation - acct_mgmt Warning: your password will expire in 14 days pamtester: account management done. So this is probably related to bug 5086 where we discuss the problem handling messages.
- Verified the code and that release notes looks good - Verified that I could change an expired password using Web Access and prompts during login.
(In reply to comment #16) > - Verified that I could change an expired password using > Web Access and prompts during login. This test was verified using local unix accounts. I also verified change password using a system with Active Directory connected SSSD by checking "User must change password on next logon" on a user in AD, which worked as expected.