www.cendio.com
Bug 5028 - Web Access authentication does not handle expired password pam prompts
: Web Access authentication does not handle expired password pam prompts
Status: CLOSED FIXED
: ThinLinc
Web Access
: trunk
: PC Unknown
: P2 Normal
: 4.10.0
Assigned To:
:
:
: 5086
:
  Show dependency treegraph
 
Reported: 2014-03-19 14:44 by
Modified: 2018-08-13 13:35 (History)
Acceptance Criteria:
* Users should be able to go through with the password change process when their password is expired


Attachments
Call pam_chauthtok if necessary (737 bytes, patch)
2016-02-29 08:25, Peter Åstrand
Details


Note

You need to log in before you can comment on or make changes to this bug.


Description From cendio 2014-03-19 14:44:04
Trying to login using an account with expired password gives me following
response:

You are required to change your password immediately (root enforced)

Username: [cendio     ]
Password: [           ]


From there I can choose to login using another user.
------- Comment #1 From cendio 2014-03-19 15:03:08 -------
Also tested against 4.1.1 and it is not a regression.
------- Comment #2 From cendio 2014-03-31 11:34:59 -------
More information is needed: which platform is this? What kind of sshd
configuration do you have? 

I failed to setup my CentOS 6 machine to support this. I configured the account
as:

# chage astrand3
Changing the aging information for astrand3
Enter the new value, or press ENTER for the default

    Minimum Password Age [0]: 
    Maximum Password Age [365]: 180
    Last Password Change (YYYY-MM-DD) [2013-06-01]: 2013-06-01
    Password Expiration Warning [180]: 10
    Password Inactive [180]: 10
    Account Expiration Date (YYYY-MM-DD) [2014-06-01]: 2014-06-01

Ran authconfig-gtk to get a sane configuration. Then, trying to login:

$ ssh astrand3@scilla
Password: 
Your account has expired; please contact your system administrator

astrand3@scilla's password: 
Connection closed by 10.47.1.211
------- Comment #3 From cendio 2014-03-31 15:00:51 -------
(In reply to comment #2)
> More information is needed: which platform is this? What kind of sshd
> configuration do you have? 
>

Produced on a Centos 6 system default installation (SELinux enabled).
- Configured PasswordAuthentication=no (sshd_config) to disable passwd support
in sshd so that it is passed further to pam.

- Disable the user account: chage -d 0 <user>

I believe that the extra message 

'You are required to change your password immediately (root enforced)'

is the source to the problem, before the actual password prompt.
------- Comment #4 From cendio 2014-04-01 14:50:25 -------
The code works as intended, but currently there's no support for interactive
PAM conversations except in the "authentication" step. As I understand it, the
"pamtester" helper does not support this either.
------- Comment #6 From cendio 2016-02-29 08:25:58 -------
Created an attachment (id=676) [details]
Call pam_chauthtok if necessary

With the attached, password change via the HTML5 client is possible. Still some
rough edges, though: Needs to login again after change, plus some info lines
are missing.
------- Comment #8 From cendio 2016-08-17 10:49:21 -------
Note that the discussion on this bug so far has been about enforced password
change. There is also the case where you merely get a warning. In that case the
attached patch does not solve the issue.

Example configuration to get the warning:

[ossman@ossman]$ sudo chage tltest
[sudo] password for ossman: 
Changing the aging information for tltest
Enter the new value, or press ENTER for the default

    Minimum Password Age [0]: 
    Maximum Password Age [99999]: 30
    Last Password Change (YYYY-MM-DD) [2015-11-27]: 2016-08-01
    Password Expiration Warning [7]: 20
    Password Inactive [-1]: 
    Account Expiration Date (YYYY-MM-DD) [-1]: 

~
[ossman@ossman]$ ssh tltest@localhost
tltest@localhost's password: 
Warning: your password will expire in 14 days
Last login: Mon Apr 25 11:02:45 2016 from ::1
[tltest@ossman ~]$ logout
Connection to localhost closed.
------- Comment #9 From cendio 2016-08-17 11:00:21 -------
This is the error from tlwebaccess:

2016-08-17 10:43:51 ERROR tlwebaccess[19882]: [::1] Error communicating with
PAM subsystem for user u'tltest': [Errno 6] No such device or address:
'/var/run/thinlinc/webaccess/pamtester-1ba19c908cd40188d76dbb6841d8a073fdfadb15.in'

And this is how pamtester behaves:

$ sudo ./src/pamtester --echofirst -v thinlinc tltest authenticate acct_mgmt
[sudo] password for ossman: 
Sorry, try again.
[sudo] password for ossman: 
pamtester: invoking pam_start(thinlinc, tltest, ...)
pamtester: performing operation - authenticate
Password: 
pamtester: successfully authenticated:linux99
pamtester: performing operation - acct_mgmt
Warning: your password will expire in 14 days
pamtester: account management done.

So this is probably related to bug 5086 where we discuss the problem handling
messages.
------- Comment #16 From cendio 2018-08-13 12:52:02 -------
- Verified the code and that release notes looks good

- Verified that I could change an expired password using
  Web Access and prompts during login.
------- Comment #17 From cendio 2018-08-13 13:35:00 -------
(In reply to comment #16)

> - Verified that I could change an expired password using
>   Web Access and prompts during login.

This test was verified using local unix accounts.

I also verified change password using a system with Active Directory connected
SSSD by checking "User must change password on next logon" on a user in AD,
which worked as expected.