[Desktop-packages] [Bug 952771] Re: Gnome Screensaver should handle expired password tokens
The Precise Pangolin has reached end of life, so this bug will not be fixed for that release ** Changed in: gnome-screensaver (Ubuntu Precise) Status: Triaged => Won't Fix -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-screensaver in Ubuntu. https://bugs.launchpad.net/bugs/952771 Title: Gnome Screensaver should handle expired password tokens Status in GNOME Screensaver: Fix Released Status in gnome-screensaver package in Ubuntu: Fix Released Status in gnome-screensaver source package in Precise: Won't Fix Bug description: Gnome Screensaver should handle expired password tokens. Currently it does not. It just unlocks screen, so in case you're using kerberos - your credentials cache stays expired and you need to manually change your password or logout and then login again (lightdm, gdm, etc. do handle expired password tokens). Actually, there is a mainstream bugreport with patch solving the problem, but it seems noone is interested in solving this issue: https://bugzilla.gnome.org/show_bug.cgi?id=648875 The patch provided by Brian C. Huffman solves the issue and is compatible with today's GS behavior (it can be emulated using special pam config, see comment 9 there). Both solutions using this patch (with and without "passwd required pam_permit.so") tested by me with oneiric's gnome-screensaver-3.2.0-ubuntu1 and work as expected. [Impact] Gnome-screensaver doesn't handle expired credentials. If user's account password must be changed (e.g. expired), when unlocking screen, gnome-screensaver doesn't suggest to change the password. This behavior rises two problems: 1) security: user can unlock screen and get access even if it's password has expired; 2) usability: if kerberos authentication is used, then credentials cache stays expired, so user can't access kerberized services until password is changed manually. Since precise LTS is used widely in corporate environments (with krb5 auth), backporting to it would be useful. [Test Case] 1) Configure gnome-screensaver to lock screen and require password to login (gnome-control-center -> Brightness and Lock) 2) Configure pam to use krb5/sss/winbind authentication against any KDC that supports password expiration; 3) login with normal (not expired) account (using lightdm/gdm/anotherdm); 4) mark this account's password as expired (or 'must change') somehow (depends on KDC you're using); 5) lock screen; 6) unlock screen with your password. You will not be asked to change your password; 7) try to access any kerberized service (http-proxy/samba/ssh), since credentials cache is expired - access will be denied. [Regression Potential] Fixing a bug with provided patch (raring) changes behavior on unlocking with expired password. If we need to save current behavior as default, then we should use new /etc/pam.d/gnome-screensaver (see comment #4 debdiff). To manage notifications about this bug go to: https://bugs.launchpad.net/gnome-screensaver/+bug/952771/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 952771] Re: Gnome Screensaver should handle expired password tokens
** Changed in: gnome-screensaver Status: New = Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-screensaver in Ubuntu. https://bugs.launchpad.net/bugs/952771 Title: Gnome Screensaver should handle expired password tokens Status in GNOME Screensaver: Fix Released Status in “gnome-screensaver” package in Ubuntu: Fix Released Status in “gnome-screensaver” source package in Precise: Triaged Bug description: Gnome Screensaver should handle expired password tokens. Currently it does not. It just unlocks screen, so in case you're using kerberos - your credentials cache stays expired and you need to manually change your password or logout and then login again (lightdm, gdm, etc. do handle expired password tokens). Actually, there is a mainstream bugreport with patch solving the problem, but it seems noone is interested in solving this issue: https://bugzilla.gnome.org/show_bug.cgi?id=648875 The patch provided by Brian C. Huffman solves the issue and is compatible with today's GS behavior (it can be emulated using special pam config, see comment 9 there). Both solutions using this patch (with and without passwd required pam_permit.so) tested by me with oneiric's gnome-screensaver-3.2.0-ubuntu1 and work as expected. [Impact] Gnome-screensaver doesn't handle expired credentials. If user's account password must be changed (e.g. expired), when unlocking screen, gnome-screensaver doesn't suggest to change the password. This behavior rises two problems: 1) security: user can unlock screen and get access even if it's password has expired; 2) usability: if kerberos authentication is used, then credentials cache stays expired, so user can't access kerberized services until password is changed manually. Since precise LTS is used widely in corporate environments (with krb5 auth), backporting to it would be useful. [Test Case] 1) Configure gnome-screensaver to lock screen and require password to login (gnome-control-center - Brightness and Lock) 2) Configure pam to use krb5/sss/winbind authentication against any KDC that supports password expiration; 3) login with normal (not expired) account (using lightdm/gdm/anotherdm); 4) mark this account's password as expired (or 'must change') somehow (depends on KDC you're using); 5) lock screen; 6) unlock screen with your password. You will not be asked to change your password; 7) try to access any kerberized service (http-proxy/samba/ssh), since credentials cache is expired - access will be denied. [Regression Potential] Fixing a bug with provided patch (raring) changes behavior on unlocking with expired password. If we need to save current behavior as default, then we should use new /etc/pam.d/gnome-screensaver (see comment #4 debdiff). To manage notifications about this bug go to: https://bugs.launchpad.net/gnome-screensaver/+bug/952771/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 952771] Re: Gnome Screensaver should handle expired password tokens
Hi, we're hitting this bug on Ubuntu 12.04. Is there any possibility for this to be backported to 12.04? Thank you. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-screensaver in Ubuntu. https://bugs.launchpad.net/bugs/952771 Title: Gnome Screensaver should handle expired password tokens Status in GNOME Screensaver: New Status in “gnome-screensaver” package in Ubuntu: Fix Released Status in “gnome-screensaver” source package in Precise: Triaged Bug description: Gnome Screensaver should handle expired password tokens. Currently it does not. It just unlocks screen, so in case you're using kerberos - your credentials cache stays expired and you need to manually change your password or logout and then login again (lightdm, gdm, etc. do handle expired password tokens). Actually, there is a mainstream bugreport with patch solving the problem, but it seems noone is interested in solving this issue: https://bugzilla.gnome.org/show_bug.cgi?id=648875 The patch provided by Brian C. Huffman solves the issue and is compatible with today's GS behavior (it can be emulated using special pam config, see comment 9 there). Both solutions using this patch (with and without passwd required pam_permit.so) tested by me with oneiric's gnome-screensaver-3.2.0-ubuntu1 and work as expected. [Impact] Gnome-screensaver doesn't handle expired credentials. If user's account password must be changed (e.g. expired), when unlocking screen, gnome-screensaver doesn't suggest to change the password. This behavior rises two problems: 1) security: user can unlock screen and get access even if it's password has expired; 2) usability: if kerberos authentication is used, then credentials cache stays expired, so user can't access kerberized services until password is changed manually. Since precise LTS is used widely in corporate environments (with krb5 auth), backporting to it would be useful. [Test Case] 1) Configure gnome-screensaver to lock screen and require password to login (gnome-control-center - Brightness and Lock) 2) Configure pam to use krb5/sss/winbind authentication against any KDC that supports password expiration; 3) login with normal (not expired) account (using lightdm/gdm/anotherdm); 4) mark this account's password as expired (or 'must change') somehow (depends on KDC you're using); 5) lock screen; 6) unlock screen with your password. You will not be asked to change your password; 7) try to access any kerberized service (http-proxy/samba/ssh), since credentials cache is expired - access will be denied. [Regression Potential] Fixing a bug with provided patch (raring) changes behavior on unlocking with expired password. If we need to save current behavior as default, then we should use new /etc/pam.d/gnome-screensaver (see comment #4 debdiff). To manage notifications about this bug go to: https://bugs.launchpad.net/gnome-screensaver/+bug/952771/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 952771] Re: Gnome Screensaver should handle expired password tokens
@urusha: thanks for the work, we probably want to wait for testing and feedback in raring before backporting to stable Could you also update the bug to be compliant to https://wiki.ubuntu.com/StableReleaseUpdates if you want a backport to precise? It means having a least those infos in the bug description: impact, test case, regression potential Unsubscribing ubuntu-sponsors for the moment so it's out of the review list until we get some feedback on the patch and get the bug updated ** Also affects: gnome-screensaver (Ubuntu Precise) Importance: Undecided Status: New ** Changed in: gnome-screensaver (Ubuntu Precise) Importance: Undecided = Low ** Changed in: gnome-screensaver (Ubuntu Precise) Status: New = Triaged -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-screensaver in Ubuntu. https://bugs.launchpad.net/bugs/952771 Title: Gnome Screensaver should handle expired password tokens Status in GNOME Screensaver: New Status in “gnome-screensaver” package in Ubuntu: Fix Committed Status in “gnome-screensaver” source package in Precise: Triaged Bug description: Gnome Screensaver should handle expired password tokens. Currently it does not. It just unlocks screen, so in case you're using kerberos - your credentials cache stays expired and you need to manually change your password or logout and then login again (lightdm, gdm, etc. do handle expired password tokens). Actually, there is a mainstream bugreport with patch solving the problem, but it seems noone is interested in solving this issue: https://bugzilla.gnome.org/show_bug.cgi?id=648875 The patch provided by Brian C. Huffman solves the issue and is compatible with today's GS behavior (it can be emulated using special pam config, see comment 9 there). Both solutions using this patch (with and without passwd required pam_permit.so) tested by me with oneiric's gnome-screensaver-3.2.0-ubuntu1 and work as expected. This is really nice improvement for big corporate environments. So, It would be nice to apply this patch even if it's not in upstream yet. To manage notifications about this bug go to: https://bugs.launchpad.net/gnome-screensaver/+bug/952771/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 952771] Re: Gnome Screensaver should handle expired password tokens
** Description changed: Gnome Screensaver should handle expired password tokens. Currently it does not. It just unlocks screen, so in case you're using kerberos - your credentials cache stays expired and you need to manually change your password or logout and then login again (lightdm, gdm, etc. do handle expired password tokens). Actually, there is a mainstream bugreport with patch solving the problem, but it seems noone is interested in solving this issue: https://bugzilla.gnome.org/show_bug.cgi?id=648875 The patch provided by Brian C. Huffman solves the issue and is compatible with today's GS behavior (it can be emulated using special pam config, see comment 9 there). Both solutions using this patch (with and without passwd required pam_permit.so) tested by me with oneiric's gnome-screensaver-3.2.0-ubuntu1 and work as expected. - This is really nice improvement for big corporate environments. So, It would be nice to apply this patch even if it's not in upstream - yet. + + [Impact] + Gnome-screensaver doesn't handle expired credentials. If user's account password must be changed (e.g. expired), when unlocking screen, gnome-screensaver doesn't suggest to change the password. This behavior rises two problems: + 1) security: user can unlock screen and get access even if it's password has expired; + 2) usability: if kerberos authentication is used, then credentials cache stays expired, so user can't access kerberized services until password is changed manually. + Since precise LTS is used widely in corporate environments (with krb5 auth), backporting to it would be useful. + + [Test Case] + 1) Configure gnome-screensaver to lock screen and require password to login (gnome-control-center - Brightness and Lock) + 2) Configure pam to use krb5/sss/winbind authentication against any KDC that supports password expiration; + 3) login with normal (not expired) account (using lightdm/gdm/anotherdm); + 4) mark this account's password as expired (or 'must change') somehow (depends on KDC you're using); + 5) lock screen; + 6) unlock screen with you password. You will not be asked to change your password; + 7) try to access any kerberized service (http-proxy/samba/ssh), since credentials cache is expired - access will be denied. + + [Regression Potential] + Fixing a bug with provided patch (raring) changes behavior on unlocking with expired password. If we need to save current behavior as default, then we should use new /etc/pam.d/gnome-screensaver (see comment #4 debdiff). ** Description changed: Gnome Screensaver should handle expired password tokens. Currently it does not. It just unlocks screen, so in case you're using kerberos - your credentials cache stays expired and you need to manually change your password or logout and then login again (lightdm, gdm, etc. do handle expired password tokens). Actually, there is a mainstream bugreport with patch solving the problem, but it seems noone is interested in solving this issue: https://bugzilla.gnome.org/show_bug.cgi?id=648875 The patch provided by Brian C. Huffman solves the issue and is compatible with today's GS behavior (it can be emulated using special pam config, see comment 9 there). Both solutions using this patch (with and without passwd required pam_permit.so) tested by me with oneiric's gnome-screensaver-3.2.0-ubuntu1 and work as expected. [Impact] Gnome-screensaver doesn't handle expired credentials. If user's account password must be changed (e.g. expired), when unlocking screen, gnome-screensaver doesn't suggest to change the password. This behavior rises two problems: 1) security: user can unlock screen and get access even if it's password has expired; 2) usability: if kerberos authentication is used, then credentials cache stays expired, so user can't access kerberized services until password is changed manually. Since precise LTS is used widely in corporate environments (with krb5 auth), backporting to it would be useful. [Test Case] 1) Configure gnome-screensaver to lock screen and require password to login (gnome-control-center - Brightness and Lock) 2) Configure pam to use krb5/sss/winbind authentication against any KDC that supports password expiration; 3) login with normal (not expired) account (using lightdm/gdm/anotherdm); 4) mark this account's password as expired (or 'must change') somehow (depends on KDC you're using); 5) lock screen; - 6) unlock screen with you password. You will not be asked to change your password; + 6) unlock screen with your password. You will not be asked to change your password; 7) try to access any kerberized service (http-proxy/samba/ssh), since credentials cache is expired - access will be denied. [Regression Potential] Fixing a bug with provided patch (raring) changes behavior on unlocking with expired password. If we need to save current behavior as default, then we should use new
[Desktop-packages] [Bug 952771] Re: Gnome Screensaver should handle expired password tokens
@seb128: I updated the bug descriptions as you wrote and subscribed ubuntu-sru team. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-screensaver in Ubuntu. https://bugs.launchpad.net/bugs/952771 Title: Gnome Screensaver should handle expired password tokens Status in GNOME Screensaver: New Status in “gnome-screensaver” package in Ubuntu: Fix Committed Status in “gnome-screensaver” source package in Precise: Triaged Bug description: Gnome Screensaver should handle expired password tokens. Currently it does not. It just unlocks screen, so in case you're using kerberos - your credentials cache stays expired and you need to manually change your password or logout and then login again (lightdm, gdm, etc. do handle expired password tokens). Actually, there is a mainstream bugreport with patch solving the problem, but it seems noone is interested in solving this issue: https://bugzilla.gnome.org/show_bug.cgi?id=648875 The patch provided by Brian C. Huffman solves the issue and is compatible with today's GS behavior (it can be emulated using special pam config, see comment 9 there). Both solutions using this patch (with and without passwd required pam_permit.so) tested by me with oneiric's gnome-screensaver-3.2.0-ubuntu1 and work as expected. [Impact] Gnome-screensaver doesn't handle expired credentials. If user's account password must be changed (e.g. expired), when unlocking screen, gnome-screensaver doesn't suggest to change the password. This behavior rises two problems: 1) security: user can unlock screen and get access even if it's password has expired; 2) usability: if kerberos authentication is used, then credentials cache stays expired, so user can't access kerberized services until password is changed manually. Since precise LTS is used widely in corporate environments (with krb5 auth), backporting to it would be useful. [Test Case] 1) Configure gnome-screensaver to lock screen and require password to login (gnome-control-center - Brightness and Lock) 2) Configure pam to use krb5/sss/winbind authentication against any KDC that supports password expiration; 3) login with normal (not expired) account (using lightdm/gdm/anotherdm); 4) mark this account's password as expired (or 'must change') somehow (depends on KDC you're using); 5) lock screen; 6) unlock screen with your password. You will not be asked to change your password; 7) try to access any kerberized service (http-proxy/samba/ssh), since credentials cache is expired - access will be denied. [Regression Potential] Fixing a bug with provided patch (raring) changes behavior on unlocking with expired password. If we need to save current behavior as default, then we should use new /etc/pam.d/gnome-screensaver (see comment #4 debdiff). To manage notifications about this bug go to: https://bugs.launchpad.net/gnome-screensaver/+bug/952771/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 952771] Re: Gnome Screensaver should handle expired password tokens
This bug was fixed in the package gnome-screensaver - 3.6.1-0ubuntu2 --- gnome-screensaver (3.6.1-0ubuntu2) raring; urgency=low * debian/patches/28_handle_expired_creds.patch: - Allow handling of expired credentials. Thanks Brian C. Huffman for patch. (LP: #952771) -- Sergey Urushkin urusha.v...@gmail.com Thu, 29 Nov 2012 13:19:54 +0400 ** Changed in: gnome-screensaver (Ubuntu) Status: Fix Committed = Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-screensaver in Ubuntu. https://bugs.launchpad.net/bugs/952771 Title: Gnome Screensaver should handle expired password tokens Status in GNOME Screensaver: New Status in “gnome-screensaver” package in Ubuntu: Fix Released Status in “gnome-screensaver” source package in Precise: Triaged Bug description: Gnome Screensaver should handle expired password tokens. Currently it does not. It just unlocks screen, so in case you're using kerberos - your credentials cache stays expired and you need to manually change your password or logout and then login again (lightdm, gdm, etc. do handle expired password tokens). Actually, there is a mainstream bugreport with patch solving the problem, but it seems noone is interested in solving this issue: https://bugzilla.gnome.org/show_bug.cgi?id=648875 The patch provided by Brian C. Huffman solves the issue and is compatible with today's GS behavior (it can be emulated using special pam config, see comment 9 there). Both solutions using this patch (with and without passwd required pam_permit.so) tested by me with oneiric's gnome-screensaver-3.2.0-ubuntu1 and work as expected. [Impact] Gnome-screensaver doesn't handle expired credentials. If user's account password must be changed (e.g. expired), when unlocking screen, gnome-screensaver doesn't suggest to change the password. This behavior rises two problems: 1) security: user can unlock screen and get access even if it's password has expired; 2) usability: if kerberos authentication is used, then credentials cache stays expired, so user can't access kerberized services until password is changed manually. Since precise LTS is used widely in corporate environments (with krb5 auth), backporting to it would be useful. [Test Case] 1) Configure gnome-screensaver to lock screen and require password to login (gnome-control-center - Brightness and Lock) 2) Configure pam to use krb5/sss/winbind authentication against any KDC that supports password expiration; 3) login with normal (not expired) account (using lightdm/gdm/anotherdm); 4) mark this account's password as expired (or 'must change') somehow (depends on KDC you're using); 5) lock screen; 6) unlock screen with your password. You will not be asked to change your password; 7) try to access any kerberized service (http-proxy/samba/ssh), since credentials cache is expired - access will be denied. [Regression Potential] Fixing a bug with provided patch (raring) changes behavior on unlocking with expired password. If we need to save current behavior as default, then we should use new /etc/pam.d/gnome-screensaver (see comment #4 debdiff). To manage notifications about this bug go to: https://bugs.launchpad.net/gnome-screensaver/+bug/952771/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 952771] Re: Gnome Screensaver should handle expired password tokens
Here is the debdiff that fixes this bug. Packages with this patch should be built soon at https://launchpad.net/~urusha/+archive/bug952771 ** Patch added: precise debdiff https://bugs.launchpad.net/ubuntu/+source/gnome-screensaver/+bug/952771/+attachment/3446688/+files/gnome-screensaver-precise.patch -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-screensaver in Ubuntu. https://bugs.launchpad.net/bugs/952771 Title: Gnome Screensaver should handle expired password tokens Status in GNOME Screensaver: New Status in “gnome-screensaver” package in Ubuntu: Confirmed Bug description: Gnome Screensaver should handle expired password tokens. Currently it does not. It just unlocks screen, so in case you're using kerberos - your credentials cache stays expired and you need to manually change your password or logout and then login again (lightdm, gdm, etc. do handle expired password tokens). Actually, there is a mainstream bugreport with patch solving the problem, but it seems noone is interested in solving this issue: https://bugzilla.gnome.org/show_bug.cgi?id=648875 The patch provided by Brian C. Huffman solves the issue and is compatible with today's GS behavior (it can be emulated using special pam config, see comment 9 there). Both solutions using this patch (with and without passwd required pam_permit.so) tested by me with oneiric's gnome-screensaver-3.2.0-ubuntu1 and work as expected. This is really nice improvement for big corporate environments. So, It would be nice to apply this patch even if it's not in upstream yet. To manage notifications about this bug go to: https://bugs.launchpad.net/gnome-screensaver/+bug/952771/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 952771] Re: Gnome Screensaver should handle expired password tokens
The attachment precise debdiff of this bug report has been identified as being a patch in the form of a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-sponsors team please also unsubscribe the team from this bug report. [This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.] ** Tags added: patch -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-screensaver in Ubuntu. https://bugs.launchpad.net/bugs/952771 Title: Gnome Screensaver should handle expired password tokens Status in GNOME Screensaver: New Status in “gnome-screensaver” package in Ubuntu: Confirmed Bug description: Gnome Screensaver should handle expired password tokens. Currently it does not. It just unlocks screen, so in case you're using kerberos - your credentials cache stays expired and you need to manually change your password or logout and then login again (lightdm, gdm, etc. do handle expired password tokens). Actually, there is a mainstream bugreport with patch solving the problem, but it seems noone is interested in solving this issue: https://bugzilla.gnome.org/show_bug.cgi?id=648875 The patch provided by Brian C. Huffman solves the issue and is compatible with today's GS behavior (it can be emulated using special pam config, see comment 9 there). Both solutions using this patch (with and without passwd required pam_permit.so) tested by me with oneiric's gnome-screensaver-3.2.0-ubuntu1 and work as expected. This is really nice improvement for big corporate environments. So, It would be nice to apply this patch even if it's not in upstream yet. To manage notifications about this bug go to: https://bugs.launchpad.net/gnome-screensaver/+bug/952771/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 952771] Re: Gnome Screensaver should handle expired password tokens
** Branch linked: lp:~ubuntu-desktop/gnome-screensaver/ubuntu -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-screensaver in Ubuntu. https://bugs.launchpad.net/bugs/952771 Title: Gnome Screensaver should handle expired password tokens Status in GNOME Screensaver: New Status in “gnome-screensaver” package in Ubuntu: Fix Committed Bug description: Gnome Screensaver should handle expired password tokens. Currently it does not. It just unlocks screen, so in case you're using kerberos - your credentials cache stays expired and you need to manually change your password or logout and then login again (lightdm, gdm, etc. do handle expired password tokens). Actually, there is a mainstream bugreport with patch solving the problem, but it seems noone is interested in solving this issue: https://bugzilla.gnome.org/show_bug.cgi?id=648875 The patch provided by Brian C. Huffman solves the issue and is compatible with today's GS behavior (it can be emulated using special pam config, see comment 9 there). Both solutions using this patch (with and without passwd required pam_permit.so) tested by me with oneiric's gnome-screensaver-3.2.0-ubuntu1 and work as expected. This is really nice improvement for big corporate environments. So, It would be nice to apply this patch even if it's not in upstream yet. To manage notifications about this bug go to: https://bugs.launchpad.net/gnome-screensaver/+bug/952771/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 952771] Re: Gnome Screensaver should handle expired password tokens
Thanks urusha, The patch looks good to me and I've put it into raring. I used your debdiff and added a patch header (http://dep.debian.net/deps/dep3/). This change aligns with our longer term plans to get rid of gnome- screensaver and just use the greeter as the lock interface (the greeter would require a password change). -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-screensaver in Ubuntu. https://bugs.launchpad.net/bugs/952771 Title: Gnome Screensaver should handle expired password tokens Status in GNOME Screensaver: New Status in “gnome-screensaver” package in Ubuntu: Fix Committed Bug description: Gnome Screensaver should handle expired password tokens. Currently it does not. It just unlocks screen, so in case you're using kerberos - your credentials cache stays expired and you need to manually change your password or logout and then login again (lightdm, gdm, etc. do handle expired password tokens). Actually, there is a mainstream bugreport with patch solving the problem, but it seems noone is interested in solving this issue: https://bugzilla.gnome.org/show_bug.cgi?id=648875 The patch provided by Brian C. Huffman solves the issue and is compatible with today's GS behavior (it can be emulated using special pam config, see comment 9 there). Both solutions using this patch (with and without passwd required pam_permit.so) tested by me with oneiric's gnome-screensaver-3.2.0-ubuntu1 and work as expected. This is really nice improvement for big corporate environments. So, It would be nice to apply this patch even if it's not in upstream yet. To manage notifications about this bug go to: https://bugs.launchpad.net/gnome-screensaver/+bug/952771/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 952771] Re: Gnome Screensaver should handle expired password tokens
** Changed in: gnome-screensaver (Ubuntu) Status: Confirmed = Fix Committed ** Changed in: gnome-screensaver (Ubuntu) Importance: Undecided = Medium -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-screensaver in Ubuntu. https://bugs.launchpad.net/bugs/952771 Title: Gnome Screensaver should handle expired password tokens Status in GNOME Screensaver: New Status in “gnome-screensaver” package in Ubuntu: Fix Committed Bug description: Gnome Screensaver should handle expired password tokens. Currently it does not. It just unlocks screen, so in case you're using kerberos - your credentials cache stays expired and you need to manually change your password or logout and then login again (lightdm, gdm, etc. do handle expired password tokens). Actually, there is a mainstream bugreport with patch solving the problem, but it seems noone is interested in solving this issue: https://bugzilla.gnome.org/show_bug.cgi?id=648875 The patch provided by Brian C. Huffman solves the issue and is compatible with today's GS behavior (it can be emulated using special pam config, see comment 9 there). Both solutions using this patch (with and without passwd required pam_permit.so) tested by me with oneiric's gnome-screensaver-3.2.0-ubuntu1 and work as expected. This is really nice improvement for big corporate environments. So, It would be nice to apply this patch even if it's not in upstream yet. To manage notifications about this bug go to: https://bugs.launchpad.net/gnome-screensaver/+bug/952771/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 952771] Re: Gnome Screensaver should handle expired password tokens
** Branch linked: lp:ubuntu/raring-proposed/gnome-screensaver -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-screensaver in Ubuntu. https://bugs.launchpad.net/bugs/952771 Title: Gnome Screensaver should handle expired password tokens Status in GNOME Screensaver: New Status in “gnome-screensaver” package in Ubuntu: Fix Committed Bug description: Gnome Screensaver should handle expired password tokens. Currently it does not. It just unlocks screen, so in case you're using kerberos - your credentials cache stays expired and you need to manually change your password or logout and then login again (lightdm, gdm, etc. do handle expired password tokens). Actually, there is a mainstream bugreport with patch solving the problem, but it seems noone is interested in solving this issue: https://bugzilla.gnome.org/show_bug.cgi?id=648875 The patch provided by Brian C. Huffman solves the issue and is compatible with today's GS behavior (it can be emulated using special pam config, see comment 9 there). Both solutions using this patch (with and without passwd required pam_permit.so) tested by me with oneiric's gnome-screensaver-3.2.0-ubuntu1 and work as expected. This is really nice improvement for big corporate environments. So, It would be nice to apply this patch even if it's not in upstream yet. To manage notifications about this bug go to: https://bugs.launchpad.net/gnome-screensaver/+bug/952771/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 952771] Re: Gnome Screensaver should handle expired password tokens
Thank you. But is there a chance to see it backported to precise? If we need compatibility with current behavior for precise (I can't find a reason for it, but...) - we could use attached patch to pam config and then administrators could change /etc/pam.d/gnome-screensaver themselves to enable handling of expired creds. What do you think? ** Patch added: precise debdiff compat https://bugs.launchpad.net/ubuntu/+source/gnome-screensaver/+bug/952771/+attachment/3447683/+files/gnome-screensaver-precise-compat.patch -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-screensaver in Ubuntu. https://bugs.launchpad.net/bugs/952771 Title: Gnome Screensaver should handle expired password tokens Status in GNOME Screensaver: New Status in “gnome-screensaver” package in Ubuntu: Fix Committed Bug description: Gnome Screensaver should handle expired password tokens. Currently it does not. It just unlocks screen, so in case you're using kerberos - your credentials cache stays expired and you need to manually change your password or logout and then login again (lightdm, gdm, etc. do handle expired password tokens). Actually, there is a mainstream bugreport with patch solving the problem, but it seems noone is interested in solving this issue: https://bugzilla.gnome.org/show_bug.cgi?id=648875 The patch provided by Brian C. Huffman solves the issue and is compatible with today's GS behavior (it can be emulated using special pam config, see comment 9 there). Both solutions using this patch (with and without passwd required pam_permit.so) tested by me with oneiric's gnome-screensaver-3.2.0-ubuntu1 and work as expected. This is really nice improvement for big corporate environments. So, It would be nice to apply this patch even if it's not in upstream yet. To manage notifications about this bug go to: https://bugs.launchpad.net/gnome-screensaver/+bug/952771/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 952771] Re: Gnome Screensaver should handle expired password tokens
** Tags removed: exired ** Tags added: expired -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-screensaver in Ubuntu. https://bugs.launchpad.net/bugs/952771 Title: Gnome Screensaver should handle expired password tokens Status in “gnome-screensaver” package in Ubuntu: New Bug description: Gnome Screensaver should handle expired password tokens. Currently it does not. It just unlocks screen, so in case you're using kerberos - your credentials cache stays expired and you need to manually change your password or logout and then login again (lightdm, gdm, etc. do handle expired password tokens). Actually, there is a mainstream bugreport with patch solving the problem, but it seems noone is interested in solving this issue: https://bugzilla.gnome.org/show_bug.cgi?id=648875 The patch provided by Brian C. Huffman solves the issue and is compatible with today's GS behavior (it can be emulated using special pam config, see comment 9 there). Both solutions using this patch (with and without passwd required pam_permit.so) tested by me with oneiric's gnome-screensaver-3.2.0-ubuntu1 and work as expected. This is really nice improvement for big corporate environments. So, It would be nice to apply this patch even if it's not in upstream yet. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gnome-screensaver/+bug/952771/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 952771] Re: Gnome Screensaver should handle expired password tokens
** Bug watch added: GNOME Bug Tracker #648875 https://bugzilla.gnome.org/show_bug.cgi?id=648875 ** Also affects: gnome-screensaver via https://bugzilla.gnome.org/show_bug.cgi?id=648875 Importance: Unknown Status: Unknown ** Changed in: gnome-screensaver (Ubuntu) Status: New = Confirmed -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-screensaver in Ubuntu. https://bugs.launchpad.net/bugs/952771 Title: Gnome Screensaver should handle expired password tokens Status in GNOME Screensaver: Unknown Status in “gnome-screensaver” package in Ubuntu: Confirmed Bug description: Gnome Screensaver should handle expired password tokens. Currently it does not. It just unlocks screen, so in case you're using kerberos - your credentials cache stays expired and you need to manually change your password or logout and then login again (lightdm, gdm, etc. do handle expired password tokens). Actually, there is a mainstream bugreport with patch solving the problem, but it seems noone is interested in solving this issue: https://bugzilla.gnome.org/show_bug.cgi?id=648875 The patch provided by Brian C. Huffman solves the issue and is compatible with today's GS behavior (it can be emulated using special pam config, see comment 9 there). Both solutions using this patch (with and without passwd required pam_permit.so) tested by me with oneiric's gnome-screensaver-3.2.0-ubuntu1 and work as expected. This is really nice improvement for big corporate environments. So, It would be nice to apply this patch even if it's not in upstream yet. To manage notifications about this bug go to: https://bugs.launchpad.net/gnome-screensaver/+bug/952771/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 952771] Re: Gnome Screensaver should handle expired password tokens
** Changed in: gnome-screensaver Status: Unknown = New ** Changed in: gnome-screensaver Importance: Unknown = Medium -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-screensaver in Ubuntu. https://bugs.launchpad.net/bugs/952771 Title: Gnome Screensaver should handle expired password tokens Status in GNOME Screensaver: New Status in “gnome-screensaver” package in Ubuntu: Confirmed Bug description: Gnome Screensaver should handle expired password tokens. Currently it does not. It just unlocks screen, so in case you're using kerberos - your credentials cache stays expired and you need to manually change your password or logout and then login again (lightdm, gdm, etc. do handle expired password tokens). Actually, there is a mainstream bugreport with patch solving the problem, but it seems noone is interested in solving this issue: https://bugzilla.gnome.org/show_bug.cgi?id=648875 The patch provided by Brian C. Huffman solves the issue and is compatible with today's GS behavior (it can be emulated using special pam config, see comment 9 there). Both solutions using this patch (with and without passwd required pam_permit.so) tested by me with oneiric's gnome-screensaver-3.2.0-ubuntu1 and work as expected. This is really nice improvement for big corporate environments. So, It would be nice to apply this patch even if it's not in upstream yet. To manage notifications about this bug go to: https://bugs.launchpad.net/gnome-screensaver/+bug/952771/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp