5028 – Web Access authentication does not handle expired password pam prompts

Bug 5028 - Web Access authentication does not handle expired password pam prompts

Summary: Web Access authentication does not handle expired password pam prompts

Status:	CLOSED FIXED

Alias:	None

Product:	ThinLinc
Classification:	Unclassified
Component:	Web Access (show other bugs)
Version:	trunk
Hardware:	PC Unknown

Importance:	P2 Normal
Target Milestone:	4.10.0
Assignee:	Pierre Ossman

URL:
Keywords:	hean01_tester, relnotes

Depends on:	5086
Blocks:
	Show dependency tree / graph

Reported:	2014-03-19 14:44 CET by Henrik Andersson
Modified:	2018-08-13 13:35 CEST (History)
CC List:	1 user (show)

See Also:
Acceptance Criteria:	* Users should be able to go through with the password change process when their password is expired

Attachments
Call pam_chauthtok if necessary (737 bytes, patch) 2016-02-29 08:25 CET, Peter Åstrand	Details
View All Add an attachment (proposed patch, testcase, etc.)

Description Henrik Andersson cendio

2014-03-19 14:44:04 CET

Trying to login using an account with expired password gives me following response:

You are required to change your password immediately (root enforced)

Username: [cendio     ]
Password: [           ]


From there I can choose to login using another user.

Comment 1 Henrik Andersson cendio

2014-03-19 15:03:08 CET

Also tested against 4.1.1 and it is not a regression.

Comment 2 Peter Åstrand cendio

2014-03-31 11:34:59 CEST

More information is needed: which platform is this? What kind of sshd configuration do you have? 

I failed to setup my CentOS 6 machine to support this. I configured the account as:

# chage astrand3
Changing the aging information for astrand3
Enter the new value, or press ENTER for the default

	Minimum Password Age [0]: 
	Maximum Password Age [365]: 180
	Last Password Change (YYYY-MM-DD) [2013-06-01]: 2013-06-01
	Password Expiration Warning [180]: 10
	Password Inactive [180]: 10
	Account Expiration Date (YYYY-MM-DD) [2014-06-01]: 2014-06-01

Ran authconfig-gtk to get a sane configuration. Then, trying to login:

$ ssh astrand3@scilla
Password: 
Your account has expired; please contact your system administrator

astrand3@scilla's password: 
Connection closed by 10.47.1.211

Comment 3 Henrik Andersson cendio

2014-03-31 15:00:51 CEST

(In reply to comment #2)
> More information is needed: which platform is this? What kind of sshd
> configuration do you have? 
>

Produced on a Centos 6 system default installation (SELinux enabled).
- Configured PasswordAuthentication=no (sshd_config) to disable passwd support in sshd so that it is passed further to pam.

- Disable the user account: chage -d 0 <user>

I believe that the extra message 

'You are required to change your password immediately (root enforced)'

is the source to the problem, before the actual password prompt.

Comment 4 Peter Åstrand cendio

2014-04-01 14:50:25 CEST

The code works as intended, but currently there's no support for interactive PAM conversations except in the "authentication" step. As I understand it, the "pamtester" helper does not support this either.

Comment 6 Peter Åstrand cendio

2016-02-29 08:25:58 CET

Created attachment 676 [details]
Call pam_chauthtok if necessary

With the attached, password change via the HTML5 client is possible. Still some
rough edges, though: Needs to login again after change, plus some info lines
are missing.

Comment 8 Pierre Ossman cendio

2016-08-17 10:49:21 CEST

Note that the discussion on this bug so far has been about enforced password change. There is also the case where you merely get a warning. In that case the attached patch does not solve the issue.

Example configuration to get the warning:

[ossman@ossman]$ sudo chage tltest
[sudo] password for ossman: 
Changing the aging information for tltest
Enter the new value, or press ENTER for the default

	Minimum Password Age [0]: 
	Maximum Password Age [99999]: 30
	Last Password Change (YYYY-MM-DD) [2015-11-27]: 2016-08-01
	Password Expiration Warning [7]: 20
	Password Inactive [-1]: 
	Account Expiration Date (YYYY-MM-DD) [-1]: 

~
[ossman@ossman]$ ssh tltest@localhost
tltest@localhost's password: 
Warning: your password will expire in 14 days
Last login: Mon Apr 25 11:02:45 2016 from ::1
[tltest@ossman ~]$ logout
Connection to localhost closed.

Comment 9 Pierre Ossman cendio

2016-08-17 11:00:21 CEST

This is the error from tlwebaccess:

2016-08-17 10:43:51 ERROR tlwebaccess[19882]: [::1] Error communicating with PAM subsystem for user u'tltest': [Errno 6] No such device or address: '/var/run/thinlinc/webaccess/pamtester-1ba19c908cd40188d76dbb6841d8a073fdfadb15.in'

And this is how pamtester behaves:

$ sudo ./src/pamtester --echofirst -v thinlinc tltest authenticate acct_mgmt
[sudo] password for ossman: 
Sorry, try again.
[sudo] password for ossman: 
pamtester: invoking pam_start(thinlinc, tltest, ...)
pamtester: performing operation - authenticate
Password: 
pamtester: successfully authenticated:linux99
pamtester: performing operation - acct_mgmt
Warning: your password will expire in 14 days
pamtester: account management done.

So this is probably related to bug 5086 where we discuss the problem handling messages.

Comment 16 Henrik Andersson cendio

2018-08-13 12:52:02 CEST

- Verified the code and that release notes looks good

- Verified that I could change an expired password using
  Web Access and prompts during login.

Comment 17 Henrik Andersson cendio

2018-08-13 13:35:00 CEST

(In reply to comment #16)

> - Verified that I could change an expired password using
>   Web Access and prompts during login.

This test was verified using local unix accounts.

I also verified change password using a system with Active Directory connected SSSD by checking "User must change password on next logon" on a user in AD, which worked as expected.

Note You need to log in before you can comment on or make changes to this bug.