Your message dated Sat, 14 Nov 2009 04:17:11 +0000
with message-id <[email protected]>
and subject line Bug#549188: fixed in libpam-krb5 4.0-1
has caused the Debian Bug report #549188,
regarding password changing with pam krb and cracklib
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
549188: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=549188
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libpam-heimdal,libpam-krb5
Severity: normal
[moving email discussion into the BTS, more mails to follow]
Hi,
on etch I used the following as my common-password:
| password required pam_cracklib.so retry=3
minlen=10 difok=3 type=LDAP
| password [success=1 default=ignore] pam_krb5.so use_authtok
minimum_uid=1000 debug
| password required pam_unix.so use_authtok
nullok md5
| password required pam_permit.so
now that I upgraded to lenny this no longer works.
The problem is that in the olden days pam_krb5 would ask for a password
in the PAM_PRELIM_CHECK phase of password changing:
| if (args->try_first_pass || args->use_first_pass || args->use_authtok)
| retval = pam_get_item(ctx->pamh, authtok, (void *) &pass);
| if (args->use_authtok && retval != PAM_SUCCESS) {
| pamk5_debug_pam(ctx, args, "no stored password", retval);
| retval = PAM_SERVICE_ERR;
| goto done;
| }
| do {
[prompt for password]
Now in lenny in no longer does:
| retry = args->try_first_pass ? 1 : 0;
| if (args->try_first_pass || args->use_first_pass || args->use_authtok)
| retval = pam_get_item(args->pamh, authtok, (void *) &pass);
| if (args->use_authtok && (retval != PAM_SUCCESS || pass == NULL)) {
^^^^^^^^^^^^^^^
| pamk5_debug_pam(args, "no stored password", retval);
| retval = PAM_SERVICE_ERR;
| goto done;
| }
| do {
This code is the same in libpam-heimdal and libpam-krb5.
I hope you can shed some light on what this is.
Is this a bug in my configuration? If yes, what should it be. Note
that while pam_unix properly(?) prompts for a password in the prelim
check phase even if use_authtok is set, pam_unix will not ask for a
password if the user is not in /etc/passwd, so reordering won't help me
here.
Is this a bug in the code? The NEWS file lists the following entry:
| pam-krb5 3.9 (2007-11-12)
|
| If use_authtok is set, fail even if we can retrieve the stored PAM
| password if that password is set to NULL. Apparently that can happen
| in some cases, such as with pam_cracklib. Thanks to Christian Holler
| for the diagnosis and a patch.
but that does not say why we would want to fail in the preliminary phase in
such a case.
I'm hoping to hear from you,
Cheers,
weasel
--
| .''`. ** Debian GNU/Linux **
Peter Palfrader | : :' : The universal
http://www.palfrader.org/ | `. `' Operating System
| `- http://www.debian.org/
--- End Message ---
--- Begin Message ---
Source: libpam-krb5
Source-Version: 4.0-1
We believe that the bug you reported is fixed in the latest version of
libpam-krb5, which is due to be installed in the Debian FTP archive:
libpam-krb5_4.0-1.diff.gz
to main/libp/libpam-krb5/libpam-krb5_4.0-1.diff.gz
libpam-krb5_4.0-1.dsc
to main/libp/libpam-krb5/libpam-krb5_4.0-1.dsc
libpam-krb5_4.0-1_i386.deb
to main/libp/libpam-krb5/libpam-krb5_4.0-1_i386.deb
libpam-krb5_4.0.orig.tar.gz
to main/libp/libpam-krb5/libpam-krb5_4.0.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Russ Allbery <[email protected]> (supplier of updated libpam-krb5 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 13 Nov 2009 18:19:45 -0800
Source: libpam-krb5
Binary: libpam-krb5
Architecture: source i386
Version: 4.0-1
Distribution: unstable
Urgency: low
Maintainer: Russ Allbery <[email protected]>
Changed-By: Russ Allbery <[email protected]>
Description:
libpam-krb5 - PAM module for MIT Kerberos
Closes: 549188
Changes:
libpam-krb5 (4.0-1) unstable; urgency=low
.
* New upstream release.
- Add force_first_pass parameter to auth and password groups to force
use of the password in the PAM data even if none is set, replacing
part of the old meaning of use_authtok.
- use_authtok now only affects the new password during password
change, although use_authtok in the auth group has the old meaning
for backward compatibility. (Closes: #549188)
- use_first_pass and try_first_pass no longer affect how the new
password is obtained during password changes.
- Stop returning PAM_IGNORE from pam_setcred. This confuses older
versions of the Linux PAM library.
- Better logging in pam_sm_{open,close}_session.
* Add try_first_pass to the pam-krb5 password group pam-auth-update
configuration. Unlike the previous behavior, this means that if the
Kerberos password is different than the password of an earlier module
in the password group, pam-krb5 will now prompt the user for the
Kerberos password.
* Remove the libtool *.la file and set the permissions of pam_krb5.so
properly to work around the annoyances of switching to libtool.
* Update standards version to 3.8.3 (no changes required).
Checksums-Sha1:
ca0b4aa711bd84392f54827cc358496a0d509188 1214 libpam-krb5_4.0-1.dsc
a62b970a3458ef7acba87161526cde59b164879d 372725 libpam-krb5_4.0.orig.tar.gz
6280033e6b91a7d17b82abf71ad3b3dc9a3f3929 14474 libpam-krb5_4.0-1.diff.gz
0bbbf9e8e5bd5afbd2423eeae24fd85c949f90e4 70668 libpam-krb5_4.0-1_i386.deb
Checksums-Sha256:
dfea6df93fb997d5fced75f1aac897614ee89cea5ffb07f1fbffb5181bc34cb7 1214
libpam-krb5_4.0-1.dsc
ff4c20c0080fbeeedc68259be169ddcd2e80bbc2b9805b2b6e41996f1aba9230 372725
libpam-krb5_4.0.orig.tar.gz
adc2d85d916446dac4572fa21ea8416431defe3254f16bf04caace26a8da36ee 14474
libpam-krb5_4.0-1.diff.gz
5c16fcb991bf2b6b02deec8ceb4a2f7635beee4c95207c169cde532e228f0d97 70668
libpam-krb5_4.0-1_i386.deb
Files:
d09d84f876e7338896c3011bf078acf8 1214 admin optional libpam-krb5_4.0-1.dsc
b09b29650ae635d203f74235711bb664 372725 admin optional
libpam-krb5_4.0.orig.tar.gz
b311c8f5753a828789d6d69188221618 14474 admin optional libpam-krb5_4.0-1.diff.gz
202cd71ab28f6b401a894dd801e3b1e9 70668 admin optional
libpam-krb5_4.0-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkr+GW8ACgkQ+YXjQAr8dHZdZwCdH8LLGhj8vSa4/VRjyeQJ0ff9
X8AAoMvB9jtO0R5pWk4Fp6PT6ae/TJF+
=cguB
-----END PGP SIGNATURE-----
--- End Message ---