On Wed, 09 Sep 2009, Russ Allbery wrote:

> Peter Palfrader <[email protected]> writes:
> 
> > on etch I used the following as my common-password:
> 
> > | password        required                        pam_cracklib.so retry=3 
> > minlen=10 difok=3 type=LDAP
> > | password        [success=1 default=ignore]      pam_krb5.so use_authtok 
> > minimum_uid=1000 debug
> > | password        required                        pam_unix.so use_authtok 
> > nullok md5
> > | password        required                        pam_permit.so
> 
> > now that I upgraded to lenny this no longer works.
> 
> Hm.  I think the problem is that use_authtok needs to mean different
> things during the preliminary check than it does during the password
> change itself.  use_authtok generally means never under any circumstances
> prompt for a password, and the problem that I fixed in the newer version
> is that you could press Enter to the password prompt on pam_cracklib and
> then pam_krb5 would have happily prompted you again and let you set a
> password that bypassed strength checking.  But I assume that pam_cracklib
> isn't prompting for your *current* password during the preliminary check
> phase.

Exactly.  It took me quite a while to grasp that, and figure out why it
ever worked on etch.

> Could you try this patch and see if it fixes the problem for you?  It's a
> bit of a hack and I may restructure it for the next release, but I think
> it's the right basic idea.


> --- a/password.c
> +++ b/password.c
> @@ -183,8 +183,23 @@ pamk5_password_change(struct pam_args *args, int 
> only_auth)
>      int pamret = PAM_SUCCESS;
>      char *pass = NULL;
>  
> -    /* Authenticate to the password changing service using the old password. 
> */
> +    /*
> +     * Authenticate to the password changing service using the old password.
> +     *
> +     * We potentially need to change the use_authtok flag here if we're
> +     * doing the preliminary check.  For the password stack, use_authtok
> +     * means to never prompt for the new password and always use what's in
> +     * the stack already.  But it doesn't mean to rely on the stack for the
> +     * old password, and pam_cracklib doesn't prompt for the old password.
> +     *
> +     * Convert use_authtok to use_first_pass if we're doing the preliminary
> +     * check.
> +     */
>      if (ctx->creds == NULL) {
> +        if (only_auth && args->use_authtok) {
> +            args->use_authtok = 0;
> +            args->use_first_pass = 1;
> +        }
>          pamret = pamk5_password_auth(args, "kadmin/changepw", &ctx->creds);
>          if (pamret == PAM_SERVICE_ERR || pamret == PAM_AUTH_ERR)
>              pamret = PAM_AUTHTOK_RECOVER_ERR;

Yup, that does the trick on both pam-krb5 and pam-heimdal[1], thanks.

Do you think we might see this fix in a lenny point release at some
point?

Cheers,


1. for heimdal I used
   | if ((flags & PAM_PRELIM_CHECK) && args->use_authtok) {
-- 
                           |  .''`.  ** Debian GNU/Linux **
      Peter Palfrader      | : :' :      The  universal
 http://www.palfrader.org/ | `. `'      Operating System
                           |   `-    http://www.debian.org/



-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to