Bug#321384: [Pkg-shadow-devel] Bug#321384: su refuses to change an expired password for root
Hi! On Sat, Aug 06, 2005 at 01:05:50AM +0200, Nicolas François wrote: It performs an pam_chauthok when pam_acct_mgmt returns an PAM_CHANGE_EXPIRED_AUTHOK. Sorry, here you have a typo: if (amroot) { fprintf (stderr, _(%s: %s\n(Ignored)\n), Prog, pam_strerror (pamh, ret)); + } if (ret == PAM_NEW_AUTHTOK_REQD) { + ret = pam_chauthtok (pamh, PAM_CHANGE_EXPIRED_AUTHTOK); it should be: if (amroot) { fprintf (stderr, _(%s: %s\n(Ignored)\n), Prog, pam_strerror (pamh, ret)); + } else if (ret == PAM_NEW_AUTHTOK_REQD) { + ret = pam_chauthtok (pamh, PAM_CHANGE_EXPIRED_AUTHTOK); + if (ret != PAM_SUCCESS) { + SYSLOG ((LOG_ERR, pam_chauthtok: %s, + pam_strerror (pamh, ret))); + fprintf (stderr, _(%s: %s\n), Prog, + pam_strerror (pamh, ret)); + pam_end (pamh, ret); + su_failure (tty); + } } else { SYSLOG ((LOG_ERR, pam_acct_mgmt: %s, pam_strerror (pamh, ret))); P.S. I think the fix is definitely applicable to Sarge and we should have a Sarge version of the patch, although not applied yet... -- WBR, xrgtn -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#321384: [Pkg-shadow-devel] Bug#321384: su refuses to change an expired password for root
And even more, I think it may/should include: if (amroot) { fprintf (stderr, _(%s: %s\n(Ignored)\n), Prog, pam_strerror (pamh, ret)); + } else if (ret == PAM_NEW_AUTHTOK_REQD) { + SYSLOG ((LOG_NOTICE, pam_chauthtok: %s, +pam_strerror (pamh, ret))); + ret = pam_chauthtok (pamh, PAM_CHANGE_EXPIRED_AUTHTOK); I.e. make notice to syslog independently on the user changing her authtok successfully or not. and instead of: + if (ret != PAM_SUCCESS) { + SYSLOG ((LOG_ERR, pam_chauthtok: %s, +pam_strerror (pamh, ret))); + fprintf (stderr, _(%s: %s\n), Prog, +pam_strerror (pamh, ret)); + pam_end (pamh, ret); + su_failure (tty); + } maybe just PAM_FAIL_CHECK;??? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#321384: [Pkg-shadow-devel] Bug#321384: su refuses to change an expired password for root
Thinking more about this, I have made the next conclusions. On Sat, Aug 06, 2005 at 01:05:50AM +0200, Nicolas François wrote: Can you have a look at this patch? It performs an pam_chauthok when pam_acct_mgmt returns an PAM_CHANGE_EXPIRED_AUTHOK. First, we have agreed upon the next variant for PAM-enabled [part of] su: if (amroot) { fprintf (stderr, _(%s: %s\n(Ignored)\n), Prog, pam_strerror (pamh, ret)); + } else if (ret == PAM_NEW_AUTHTOK_REQD) { + ret = pam_chauthtok (pamh, PAM_CHANGE_EXPIRED_AUTHTOK); + if (ret != PAM_SUCCESS) { + SYSLOG ((LOG_ERR, pam_chauthtok: %s, + pam_strerror (pamh, ret))); + fprintf (stderr, _(%s: %s\n), Prog, + pam_strerror (pamh, ret)); + pam_end (pamh, ret); + su_failure (tty); + } } else { SYSLOG ((LOG_ERR, pam_acct_mgmt: %s, pam_strerror (pamh, ret))); As for additional LOG_NOTICE in front of ret = pam_chauthtok (pamh, PAM_CHANGE_EXPIRED_AUTHTOK);, this is not needed, because pam_chauthtok should do necessary logging by itself and with pam_unix it does. For example: su[12348]: (pam_unix) expired password for user xenon (root enforced) /* * Everything described below is not important for * Debian, but we should assure consistent behavior of * both PAM and non-PAM su when lobbing patches into * upstream!!! */ Then, when built without PAM, su is still prone to the bug, and there's no easy solution like pam_chauthtok(), so the necessary functionality should be taken from similar-purpose code from login. And for the latter code we should assure that an attempt to use an account with expired _password_ is logged with priority LOG_NOTICE, while failure to change expired password and log in should be logged with LOG_WARN, IMHO. Or with LOG_CRIT/LOG_ERROR when _root's_ password changing attempt failed. Currently, src/login.c implements this with libmisc/age.c:expire() routine. BUT this routine does only printf(), and no logging to syslog at all. Tomasz: also there's puts(...\n) in expire() -- WBR, xrgtn -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#321384: su refuses to change an expired password for root
Package: login Version: 1:4.0.3-31sarge5 I configured password aging on a freshly Installation of Sarge. When I use ssh to log into an user account with an expired password, I'm forced to change the password like this: Using username westphal. Linux wiesel 2.6.8-2-386 #1 Thu May 19 17:40:50 JST 2005 i686 GNU/Linux Last login: Tue Aug 2 09:08:16 2005 from 10.222.16.227 WARNING: Your password has expired. You must change your password now and login again! Changing password for westphal (current) UNIX password: New UNIX password: Retype new UNIX password: This is the expected behaviour. It even works for a direct login into the root account (sshd configured to PermitRootLogin yes.) However, when I try to su to an expired root account, it refuses to change the password: [EMAIL PROTECTED]:~# passwd -x 10 -i 9 root [EMAIL PROTECTED]:~$ su - Password: You are required to change your password immediately (password aged) su: Authentication token is no longer valid; new one required. Sorry. On a system where su is the only way to become root, this would mean a locked out root account. Imagine a remote system with sshd configured to PermitRootLogin no and no direct console access. Here is my configuration file /etc/pam.d/su, with @includes removed for clarity: auth sufficient pam_rootok.so auth required pam_unix.so nullok_secure account required pam_unix.so password required pam_unix.so use_authtok nullok session required pam_unix.so The expected behaviour would be to immediately request the user to change the password like for the direct logins. Looking in su.c I found the following comment: /* * Check to see if the account is expired. root gets to ignore any * expired accounts, but normal users can't become a user with an * expired password. */ IMHO this implementation of su confuses expired (passwd -e user) and inactive (passwd -l user) passwords. An expired password is not invalid, it is just marked for an immediate change. I see no reason why su should deny access to such an account. Regard, Mit freundlichen Grüßen, Volker Westphal SO NSD Design,Build,ImplementRun Security Services Financial Customers IBM Business Services GmbH ... an IBM Global Services Company -- Wilhelm-Fay-Straße 30 - 34, 65936 Frankfurt Tel.: +49 (0) 69/6645-5056 E-Mail: [EMAIL PROTECTED]
Bug#321384: su refuses to change an expired password for root
found 321384 1:4.0.11.1-1 found 321384 1:4.0.3-35 thanks Hello Volker, Thank you for reporting this. I hereby confirm this bug (for the current testing and experimental packages). For the moment, an user can change her password with a login to a console. I will try to commit a patch for the experimental package this week-end, but I don't know if it apply for a future Sarge update. Best Regards, -- Nekral -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Bug#321384: su refuses to change an expired password for root
Hello Tomasz, Can you have a look at this patch? It performs an pam_chauthok when pam_acct_mgmt returns an PAM_CHANGE_EXPIRED_AUTHOK. BTW, in adduser.c: s/spoll/spool/ Kind Regrads -- Nekral Index: src/su.c === RCS file: /cvsroot/shadow/src/su.c,v retrieving revision 1.41 diff -u -r1.41 su.c --- src/su.c4 Aug 2005 19:13:43 - 1.41 +++ src/su.c5 Aug 2005 22:55:18 - @@ -519,6 +519,16 @@ if (amroot) { fprintf (stderr, _(%s: %s\n(Ignored)\n), Prog, pam_strerror (pamh, ret)); + } if (ret == PAM_NEW_AUTHTOK_REQD) { + ret = pam_chauthtok (pamh, PAM_CHANGE_EXPIRED_AUTHTOK); + if (ret != PAM_SUCCESS) { + SYSLOG ((LOG_ERR, pam_chauthtok: %s, +pam_strerror (pamh, ret))); + fprintf (stderr, _(%s: %s\n), Prog, +pam_strerror (pamh, ret)); + pam_end (pamh, ret); + su_failure (tty); + } } else { SYSLOG ((LOG_ERR, pam_acct_mgmt: %s, pam_strerror (pamh, ret)));