search

rra / pam-krb5

PAM module for Kerberos authentication
https://www.eyrie.org/~eagle/software/pam-krb5/
Other
19 stars 14 forks source link

Changing password is not possible #7

Closed spaceone closed 7 years ago

spaceone commented 7 years ago

Hi :-)

heimdal now (>= version 7.1.0 / https://github.com/heimdal/heimdal/pull/152 / https://github.com/heimdal/heimdal/commit/7422cd1f6b012c2edb4e04ec03c993b5c047611f) supports the krb5_get_init_creds_opt_set_change_password_prompt API. Therefore the defer_pwchange option works! This can be documented at: https://github.com/rra/pam-krb5/commit/6a46b475da73de32cc7c22dc8dfe62166087837f

Now it seems there is a problem in pam_krb5 during changing the password, which is not possible. I have the following configuration:

auth     sufficient pam_krb5.so use_first_pass defer_pwchange debug=true trace=/tmp/krb5
auth     required pam_deny.so
account  required pam_krb5.so force_pwchange debug=true trace=/tmp/krb5
password required pam_krb5.so use_first_pass use_authtok defer_pwchange debug=true trace=/tmp/krb5

When I do a chauthtok I receive the following error:

>>> pam.chauthtok()
login:test99
Current Kerberos password: 
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
PAM.error: ('Authentication token is no longer valid; new one required', 12)

The logs don't contain anything useful. I can't switch on debug=true or get trace=... working. Maybe you have got an idea:

Apr 28 10:55:40 xen3 python: pam_krb5(service:chauthtok): trace logging requested but not supported
Apr 28 10:55:40 xen3 python: pam_krb5(service:chauthtok): pam_sm_chauthtok: entry (prelim)
Apr 28 10:55:43 xen3 python: pam_krb5(service:chauthtok): (user test99) attempting authentication as test99@SCHOOL.LOCAL for kadmin/changepw
Apr 28 10:55:43 xen3 python: pam_krb5(service:chauthtok): (user test99) krb5_get_init_creds_password: Password has expired
Apr 28 10:55:43 xen3 python: pam_krb5(service:chauthtok): pam_sm_chauthtok: exit (failure)
spaceone commented 7 years ago

I am using libpam-krb5 version 4.6-3. I hope there is nothing fixed in between, I will have a look at the last commits.

spaceone commented 7 years ago

I see that pamk5_password() is called with only_auth=true. Why is this?

spaceone commented 7 years ago

krb5_get_init_creds_opt_set_change_password_prompt() is also not called when calling pam_sm_chauthtok() because it jumps into the else block: https://github.com/rra/pam-krb5/blob/master/auth.c#L166

I added it manually with argument 0 into the else block which doesn't help either.

spaceone commented 7 years ago

The heimdal KDC library returns KRB5KDC_ERR_POLICY -1765328372L KDC policy rejects request. This doesn't happen with 'kinit'.

spaceone commented 7 years ago

It works if I remove the "proxiable = true" from the "[libdefaults]" section in /etc/krb5.conf.

spaceone commented 7 years ago

See PR #8.

rra commented 7 years ago

Could you explain more about why you have proxiable tickets enabled in krb5.conf? I feel like this may be the actual bug. You're explicitly turning on (non-default) ticket options, and then overriding that and turning it off again inside the pam-krb5 module with your patch, so effectively you're just turning proxiable to false again. Why not just set it to false if that's the behavior you want?

rra commented 7 years ago

Closed with bf8f521d.