On Fri, Mar 12, 2010 at 04:37:26PM +0100, Ralf Haferkamp wrote:
> Hi,
>
> I did some testing of pam_sss and the LDAP backend's password policy
> features and ran into some issue. One of the being the getuid() == 0
> checks in pam_sss when checking whether the user needs to be prompted for
> the old password before changing the password.
>
> I guess the idention of those checks is that "root" should be able to
> change a users password without being prompted for the old password.
> There are however some issues with that:
>
> - Most PAM clients run with a real uid of root(0), so that check will not
> work correctly in many cases. A notable exception being the passwd
> command. But with password policies in place password changes can be
> triggered from almost every PAM client.
>
> - When using the LDAP backend even root would need to somehow
> authenticate against the LDAP Server to be able to change a users
> password.
I'm not sure if we want to support the password resets by root at all
with the LDAP backend. Typically there are a couple of different ways
for an authorized user to change the password of a different user in an
LDAP server. The same holds for a Kerberos server.
Do you have use cases which can illustrate why it would make sense to
support it in sssd?
But at least we should send a message to the user that the password
reset is not possible and maybe a configurable hint how to do it like
pam_password_prohibit_message.
bye,
Sumit
>
> Find a patch attached that tries to fix the former issue by checking for
> the PWEXP_FLAG that is set when pam_sm_authenticate returned
> PAM_NEW_AUTHTOK_REQD. I am not sure if this is really the best fix for
> the problem. I am open for suggestions.
>
> I haven't started looking for a solution for the latter issue yet.
>
> --
> regards,
> Ralf
> From a02cebbd0fe5ccfe096fc0fb757435a8d5d70b2e Mon Sep 17 00:00:00 2001
> From: Ralf Haferkamp <rha...@suse.de>
> Date: Fri, 12 Mar 2010 14:37:33 +0100
> Subject: [PATCH] Prompt for old password even when running as root
>
> When changing an expired password (during e.g. login) the PAM module needs
> to prompt for the old password even when running as root.
> ---
> src/sss_client/pam_sss.c | 6 ++++--
> 1 files changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
> index a7da1ec..ff3a7f9 100644
> --- a/src/sss_client/pam_sss.c
> +++ b/src/sss_client/pam_sss.c
> @@ -979,11 +979,13 @@ static int get_authtok_for_password_change(pam_handle_t
> *pamh,
> int pam_flags)
> {
> int ret;
> -
> + int *exp_data = NULL;
> + pam_get_data(pamh, PWEXP_FLAG, (const void **) &exp_data);
> +
> /* we query for the old password during PAM_PRELIM_CHECK to make
> * pam_sss work e.g. with pam_cracklib */
> if (pam_flags & PAM_PRELIM_CHECK) {
> - if (getuid() != 0 && !(flags & FLAGS_USE_FIRST_PASS)) {
> + if ( (getuid() != 0 || exp_data ) && !(flags &
> FLAGS_USE_FIRST_PASS)) {
> ret = prompt_password(pamh, pi, _("Current Password: "));
> if (ret != PAM_SUCCESS) {
> D(("failed to get password from user"));
> --
> 1.6.4.2
>
> _______________________________________________
> sssd-devel mailing list
> sssd-devel@lists.fedorahosted.org
> https://fedorahosted.org/mailman/listinfo/sssd-devel
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel
