I recently catched up on the CVE regarding proper account validation. I guess this is why pam_acct_mgmnt was added and even backported to 1.4.x. However, here's the problem: somehow pam_setcred() also got in.
According to the Linux man pages the user, aka the "pam service" needs proper permissions in order to actually apply credential changes -- if applicable. Thus, if the user who owns the jenkins process has no permission to actually execute pam_setcred() the login fails.
Usually, people then then to run jenkins as root which, IMHO, is not an option at all. Thus, I was wondering if the pam_setcred() method is a) really required or b) can be marked as optional in Jenkin's pam auth settings?
Last, people seem to have forked this lib already just to comment this one line :(
@kohsuke
I recently catched up on the CVE regarding proper account validation. I guess this is why pam_acct_mgmnt was added and even backported to 1.4.x. However, here's the problem: somehow pam_setcred() also got in.
According to the Linux man pages the user, aka the "pam service" needs proper permissions in order to actually apply credential changes -- if applicable. Thus, if the user who owns the jenkins process has no permission to actually execute pam_setcred() the login fails.
Please refer to:
https://stackoverflow.com/questions/55841654/jenkins-invalid-username-and-password-pam-authentication
and
https://mapr.com/support/s/article/User-is-unable-to-login-on-the-MCS-page-after-upgrading-the-secure-cluster-to-6-0-version?language=en_US
Usually, people then then to run jenkins as root which, IMHO, is not an option at all. Thus, I was wondering if the pam_setcred() method is a) really required or b) can be marked as optional in Jenkin's pam auth settings?
Last, people seem to have forked this lib already just to comment this one line :(
Best, Florian