On Wed, 09 Sep 2009, Russ Allbery wrote:
> Peter Palfrader <[email protected]> writes:
>
> > on etch I used the following as my common-password:
>
> > | password required pam_cracklib.so retry=3
> > minlen=10 difok=3 type=LDAP
> > | password [success=1 default=ignore] pam_krb5.so use_authtok
> > minimum_uid=1000 debug
> > | password required pam_unix.so use_authtok
> > nullok md5
> > | password required pam_permit.so
>
> > now that I upgraded to lenny this no longer works.
>
> Hm. I think the problem is that use_authtok needs to mean different
> things during the preliminary check than it does during the password
> change itself. use_authtok generally means never under any circumstances
> prompt for a password, and the problem that I fixed in the newer version
> is that you could press Enter to the password prompt on pam_cracklib and
> then pam_krb5 would have happily prompted you again and let you set a
> password that bypassed strength checking. But I assume that pam_cracklib
> isn't prompting for your *current* password during the preliminary check
> phase.
Exactly. It took me quite a while to grasp that, and figure out why it
ever worked on etch.
> Could you try this patch and see if it fixes the problem for you? It's a
> bit of a hack and I may restructure it for the next release, but I think
> it's the right basic idea.
> --- a/password.c
> +++ b/password.c
> @@ -183,8 +183,23 @@ pamk5_password_change(struct pam_args *args, int
> only_auth)
> int pamret = PAM_SUCCESS;
> char *pass = NULL;
>
> - /* Authenticate to the password changing service using the old password.
> */
> + /*
> + * Authenticate to the password changing service using the old password.
> + *
> + * We potentially need to change the use_authtok flag here if we're
> + * doing the preliminary check. For the password stack, use_authtok
> + * means to never prompt for the new password and always use what's in
> + * the stack already. But it doesn't mean to rely on the stack for the
> + * old password, and pam_cracklib doesn't prompt for the old password.
> + *
> + * Convert use_authtok to use_first_pass if we're doing the preliminary
> + * check.
> + */
> if (ctx->creds == NULL) {
> + if (only_auth && args->use_authtok) {
> + args->use_authtok = 0;
> + args->use_first_pass = 1;
> + }
> pamret = pamk5_password_auth(args, "kadmin/changepw", &ctx->creds);
> if (pamret == PAM_SERVICE_ERR || pamret == PAM_AUTH_ERR)
> pamret = PAM_AUTHTOK_RECOVER_ERR;
Yup, that does the trick on both pam-krb5 and pam-heimdal[1], thanks.
Do you think we might see this fix in a lenny point release at some
point?
Cheers,
1. for heimdal I used
| if ((flags & PAM_PRELIM_CHECK) && args->use_authtok) {
--
| .''`. ** Debian GNU/Linux **
Peter Palfrader | : :' : The universal
http://www.palfrader.org/ | `. `' Operating System
| `- http://www.debian.org/
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]