Package: libpam-heimdal,libpam-krb5
Severity: normal

[moving email discussion into the BTS, more mails to follow]

Hi,

on etch I used the following as my common-password:

| password        required                        pam_cracklib.so retry=3 
minlen=10 difok=3 type=LDAP
| password        [success=1 default=ignore]      pam_krb5.so use_authtok 
minimum_uid=1000 debug
| password        required                        pam_unix.so use_authtok 
nullok md5
| password        required                        pam_permit.so

now that I upgraded to lenny this no longer works.


The problem is that in the olden days pam_krb5 would ask for a password
in the PAM_PRELIM_CHECK phase of password changing:

|    if (args->try_first_pass || args->use_first_pass || args->use_authtok)
|        retval = pam_get_item(ctx->pamh, authtok, (void *) &pass);
|    if (args->use_authtok && retval != PAM_SUCCESS) {
|        pamk5_debug_pam(ctx, args, "no stored password", retval);
|        retval = PAM_SERVICE_ERR;
|        goto done;
|    }
|    do {
[prompt for password]

Now in lenny in no longer does:
|    retry = args->try_first_pass ? 1 : 0;
|    if (args->try_first_pass || args->use_first_pass || args->use_authtok)
|        retval = pam_get_item(args->pamh, authtok, (void *) &pass);
|    if (args->use_authtok && (retval != PAM_SUCCESS || pass == NULL)) {
                                                     ^^^^^^^^^^^^^^^
|        pamk5_debug_pam(args, "no stored password", retval);
|        retval = PAM_SERVICE_ERR;
|        goto done;
|    }
|    do {

This code is the same in libpam-heimdal and libpam-krb5.

I hope you can shed some light on what this is.

Is this a bug in my configuration?  If yes, what should it be.  Note
that while pam_unix properly(?) prompts for a password in the prelim
check phase even if use_authtok is set, pam_unix will not ask for a
password if the user is not in /etc/passwd, so reordering won't help me
here.

Is this a bug in the code?  The NEWS file lists the following entry:
| pam-krb5 3.9 (2007-11-12)
| 
|     If use_authtok is set, fail even if we can retrieve the stored PAM
|     password if that password is set to NULL.  Apparently that can happen
|     in some cases, such as with pam_cracklib.  Thanks to Christian Holler
|     for the diagnosis and a patch.
but that does not say why we would want to fail in the preliminary phase in
such a case.

I'm hoping to hear from you,
Cheers,
weasel
-- 
                           |  .''`.  ** Debian GNU/Linux **
      Peter Palfrader      | : :' :      The  universal
 http://www.palfrader.org/ | `. `'      Operating System
                           |   `-    http://www.debian.org/



-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to