[Desktop-packages] [Bug 972537] Re: lightdm doesn't allow expired passwords

Thu, 11 Oct 2012 05:46:29 -0700 

I think I've been able to get pam_krb5 to ask for the new password
properly by using the "defer_pwchange" option which moves asking for the
replacement password from pam_authenticate() to pam_acct_mgmt().  See
the man page for pam_krb5.  However, the solution isn't perfect based on
this note from the man page:

           If this option is set, pam-krb5 uses the fully correct PAM mechanism 
for
           handling expired accounts instead of failing in pam_authenticate().  
Due
           to the security risk of widespread broken applications, be very 
careful
           about enabling this option.  It should normally only be turned on to 
solve
           a specific problem (such as using Solaris Kerberos libraries that 
don't
           support prompting for password changes during authentication), and 
then
           only for specific applications known to call pam_acct_mgmt() and 
check its
           return status properly.

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/972537

Title:
  lightdm doesn't allow expired passwords

Status in “lightdm” package in Ubuntu:
  Triaged
Status in “lightdm” source package in Precise:
  Triaged

Bug description:
  In Ubuntu 12.04, when logging in using the unity greeter in lightdm
  (1.1.9-0ubuntu1) with a user using Kerberos with an expired password,
  the login screen doesn't give the user the appropriate feedback to set
  their new password.  The text console works correctly.  The previous
  LTS used GDM, which behaved correctly.

  The normal prompting for this is:
  Username: cmo-test
  Password:  ****
  Password expired.  You must change it now.
  Enter new password:  ****
  Enter it again:  ****

  Instead, in lightdm, it is:
  Username: cmo-test
  Password: ****
  Enter it again: ****

  The "Password expired" message is never shown, and "Enter it again" is
  shown in the box instead of "Enter new password".  If you use lighdm-
  gtk-greeter, you get the "password expired" message printed under the
  box, but still have the same prompting, never asking for the new
  password.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/972537/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to     : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to