Hi,
I did some testing of pam_sss and the LDAP backend's password policy
features and ran into some issue. One of the being the getuid() == 0
checks in pam_sss when checking whether the user needs to be prompted for
the old password before changing the password.
I guess the idention of those checks is that "root" should be able to
change a users password without being prompted for the old password.
There are however some issues with that:
- Most PAM clients run with a real uid of root(0), so that check will not
work correctly in many cases. A notable exception being the passwd
command. But with password policies in place password changes can be
triggered from almost every PAM client.
- When using the LDAP backend even root would need to somehow
authenticate against the LDAP Server to be able to change a users
password.
Find a patch attached that tries to fix the former issue by checking for
the PWEXP_FLAG that is set when pam_sm_authenticate returned
PAM_NEW_AUTHTOK_REQD. I am not sure if this is really the best fix for
the problem. I am open for suggestions.
I haven't started looking for a solution for the latter issue yet.
--
regards,
Ralf
From a02cebbd0fe5ccfe096fc0fb757435a8d5d70b2e Mon Sep 17 00:00:00 2001
From: Ralf Haferkamp <rha...@suse.de>
Date: Fri, 12 Mar 2010 14:37:33 +0100
Subject: [PATCH] Prompt for old password even when running as root
When changing an expired password (during e.g. login) the PAM module needs
to prompt for the old password even when running as root.
---
src/sss_client/pam_sss.c | 6 ++++--
1 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index a7da1ec..ff3a7f9 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -979,11 +979,13 @@ static int get_authtok_for_password_change(pam_handle_t *pamh,
int pam_flags)
{
int ret;
-
+ int *exp_data = NULL;
+ pam_get_data(pamh, PWEXP_FLAG, (const void **) &exp_data);
+
/* we query for the old password during PAM_PRELIM_CHECK to make
* pam_sss work e.g. with pam_cracklib */
if (pam_flags & PAM_PRELIM_CHECK) {
- if (getuid() != 0 && !(flags & FLAGS_USE_FIRST_PASS)) {
+ if ( (getuid() != 0 || exp_data ) && !(flags & FLAGS_USE_FIRST_PASS)) {
ret = prompt_password(pamh, pi, _("Current Password: "));
if (ret != PAM_SUCCESS) {
D(("failed to get password from user"));
--
1.6.4.2
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
