** Changed in: gnome-screensaver
Status: New => Fix Released
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to gnome-screensaver in Ubuntu.
https://bugs.launchpad.net/bugs/952771
Title:
Gnome Screensaver should handle expired password tokens
Status in GNOME Screensaver:
Fix Released
Status in “gnome-screensaver” package in Ubuntu:
Fix Released
Status in “gnome-screensaver” source package in Precise:
Triaged
Bug description:
Gnome Screensaver should handle expired password tokens. Currently it does
not. It just unlocks screen, so in case you're using kerberos - your
credentials cache stays expired and you need to manually change your password
or logout and then login again (lightdm, gdm, etc. do handle expired password
tokens).
Actually, there is a mainstream bugreport with patch solving the problem, but
it seems noone is interested in solving this issue:
https://bugzilla.gnome.org/show_bug.cgi?id=648875
The patch provided by Brian C. Huffman solves the issue and is compatible
with today's GS behavior (it can be emulated using special pam config, see
comment 9 there).
Both solutions using this patch (with and without "passwd required
pam_permit.so") tested by me with oneiric's gnome-screensaver-3.2.0-ubuntu1 and
work as expected.
[Impact]
Gnome-screensaver doesn't handle expired credentials. If user's account
password must be changed (e.g. expired), when unlocking screen,
gnome-screensaver doesn't suggest to change the password. This behavior rises
two problems:
1) security: user can unlock screen and get access even if it's password has
expired;
2) usability: if kerberos authentication is used, then credentials cache
stays expired, so user can't access kerberized services until password is
changed manually.
Since precise LTS is used widely in corporate environments (with krb5 auth),
backporting to it would be useful.
[Test Case]
1) Configure gnome-screensaver to lock screen and require password to login
(gnome-control-center -> Brightness and Lock)
2) Configure pam to use krb5/sss/winbind authentication against any KDC that
supports password expiration;
3) login with normal (not expired) account (using lightdm/gdm/anotherdm);
4) mark this account's password as expired (or 'must change') somehow
(depends on KDC you're using);
5) lock screen;
6) unlock screen with your password. You will not be asked to change your
password;
7) try to access any kerberized service (http-proxy/samba/ssh), since
credentials cache is expired - access will be denied.
[Regression Potential]
Fixing a bug with provided patch (raring) changes behavior on unlocking with
expired password. If we need to save current behavior as default, then we
should use new /etc/pam.d/gnome-screensaver (see comment #4 debdiff).
To manage notifications about this bug go to:
https://bugs.launchpad.net/gnome-screensaver/+bug/952771/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
