On Fri, Mar 12, 2010 at 04:37:26PM +0100, Ralf Haferkamp wrote: > Hi, > > I did some testing of pam_sss and the LDAP backend's password policy > features and ran into some issue. One of the being the getuid() == 0 > checks in pam_sss when checking whether the user needs to be prompted for > the old password before changing the password. > > I guess the idention of those checks is that "root" should be able to > change a users password without being prompted for the old password. > There are however some issues with that: > > - Most PAM clients run with a real uid of root(0), so that check will not > work correctly in many cases. A notable exception being the passwd > command. But with password policies in place password changes can be > triggered from almost every PAM client. > > - When using the LDAP backend even root would need to somehow > authenticate against the LDAP Server to be able to change a users > password.
I'm not sure if we want to support the password resets by root at all with the LDAP backend. Typically there are a couple of different ways for an authorized user to change the password of a different user in an LDAP server. The same holds for a Kerberos server. Do you have use cases which can illustrate why it would make sense to support it in sssd? But at least we should send a message to the user that the password reset is not possible and maybe a configurable hint how to do it like pam_password_prohibit_message. bye, Sumit > > Find a patch attached that tries to fix the former issue by checking for > the PWEXP_FLAG that is set when pam_sm_authenticate returned > PAM_NEW_AUTHTOK_REQD. I am not sure if this is really the best fix for > the problem. I am open for suggestions. > > I haven't started looking for a solution for the latter issue yet. > > -- > regards, > Ralf > From a02cebbd0fe5ccfe096fc0fb757435a8d5d70b2e Mon Sep 17 00:00:00 2001 > From: Ralf Haferkamp <rha...@suse.de> > Date: Fri, 12 Mar 2010 14:37:33 +0100 > Subject: [PATCH] Prompt for old password even when running as root > > When changing an expired password (during e.g. login) the PAM module needs > to prompt for the old password even when running as root. > --- > src/sss_client/pam_sss.c | 6 ++++-- > 1 files changed, 4 insertions(+), 2 deletions(-) > > diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c > index a7da1ec..ff3a7f9 100644 > --- a/src/sss_client/pam_sss.c > +++ b/src/sss_client/pam_sss.c > @@ -979,11 +979,13 @@ static int get_authtok_for_password_change(pam_handle_t > *pamh, > int pam_flags) > { > int ret; > - > + int *exp_data = NULL; > + pam_get_data(pamh, PWEXP_FLAG, (const void **) &exp_data); > + > /* we query for the old password during PAM_PRELIM_CHECK to make > * pam_sss work e.g. with pam_cracklib */ > if (pam_flags & PAM_PRELIM_CHECK) { > - if (getuid() != 0 && !(flags & FLAGS_USE_FIRST_PASS)) { > + if ( (getuid() != 0 || exp_data ) && !(flags & > FLAGS_USE_FIRST_PASS)) { > ret = prompt_password(pamh, pi, _("Current Password: ")); > if (ret != PAM_SUCCESS) { > D(("failed to get password from user")); > -- > 1.6.4.2 > > _______________________________________________ > sssd-devel mailing list > sssd-devel@lists.fedorahosted.org > https://fedorahosted.org/mailman/listinfo/sssd-devel _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel