Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Problem with transition user's credentials through pam-stack #5418

Closed
enot586 opened this issue Nov 28, 2020 · 9 comments
Closed

Problem with transition user's credentials through pam-stack #5418

enot586 opened this issue Nov 28, 2020 · 9 comments
Assignees
Labels
Closed: Fixed Issue was closed as fixed. Future work

Comments

@enot586
Copy link

enot586 commented Nov 28, 2020

Hello,

i'm not sure my situation is issue or not but i can't see any mistake on my side. It seems there is an issue in case of using use_first_pass parameter when we need to get old password from another module.
i would be grateful if somebody could give any advice or clarification.

my stuff and environment:

i have several test hosts(based on Debian and Red Hat) and two test domains FreeIpa and AD each of them includes test user with password q1w2e3r4t5y6. In the both domains the password marked as expired so the first user's login lead to changing current password.

In client host i put this configs on the top of all main pam-configs(just for test to avoid any interaction with other pam-modules):

password [default=die success=ok]   my_custom_pam.so
password [default=die success=done] pam_sss.so use_authtok use_first_pass

So i expect that after authentication pam_sss will get the current and new user's password from my_custom_pam.so without any prompt and the process of changing password will be performed automatically without user's participation.

my_custom_pam.so includes two simple functions which provide test user credentials:

PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, int argc, const char
**argv) {
    pam_set_item(pamh, PAM_AUTHTOK, "q1w2e3r4t5y6");
    return PAM_SUCCESS;
}

PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char
**argv) {
    pam_set_item(pamh, PAM_OLDAUTHTOK, "q1w2e3r4t5y6");
    pam_set_item(pamh, PAM_AUTHTOK, "q1w2e3r4t5y6");
    return PAM_SUCCESS;
}

When i try to authenticate my test user i get as expected "Password expired. Change your password now." and not expected "Old password not accepted".

According to log

  1. auth stage is finished successfully(!) with PAM_NEW_AUTHTOK_REQD = 12
  2. during chauthtok prelim stage pam_sss returns "Old password not accepted.". I can't get why it happens.
    I can't go through chauthtok prelim step and finish password changing
...
Nov 27 08:35:04 test su[68635]: my_custom_pam(su:auth): [DEBUG] Debug: 1, Slot: 0
Nov 27 08:35:04 test su[68635]: my_custom_pam(su:auth): PAM_SUCCESS
Nov 27 08:35:04 test su[68635]: pam_sss(su:auth): authentication failure; logname= uid=1000 euid=0 tty=/dev/pts/6 ruser=user rhost= user=test_user(a)dc.test
Nov 27 08:35:04 test su[68635]: pam_sss(su:auth): received for user test_user(a)dc.test: 12
Nov 27 08:35:04 test su[68635]: pam_sss(su:account): User info message: <message>
Nov 27 08:35:04 test su[68635]: my_custom_pam(su:chauthtok): PRELIM
Nov 27 08:35:04 test su[68635]: my_custom_pam(su:chauthtok): EXPIRED
Nov 27 08:35:04 test su[68635]: my_custom_pam(su:chauthtok): PAM_SUCCESS
Nov 27 08:35:04 test su[68635]: pam_sss(su:chauthtok): User info message: Old password not accepted.
Nov 27 08:35:04 test su[68635]: pam_sss(su:chauthtok): Authentication failed for user test_user(a)dc.test: 4 (System error)
...

The server can't accept user credentials, but the credentials are absolutely right. Moreover i remove use_first_pass parameter and enter current password manually when pam_sss give a prompt. I mean that i enter the same password and it works, the password is changed successfully in this case.

I got the same result in FreeIpa and Active Directory i use SSSD-2.0.0.

@enot586
Copy link
Author

enot586 commented Dec 1, 2020

i added debug info into pam_sss() in the begining at once after get_pam_items()

Here i used "use_first_pass" parameter:

_Dec  1 11:36:31 client su[14063]: my_custom_pam(su:auth): [DEBUG] Debug: 1, Slot: 1
Dec  1 11:36:31 client su[14063]: my_custom_pam(su:auth): PAM_SUCCESS
...
Dec  1 11:36:31 client su[14063]: pam_sss(su:auth): pi->authtok =  (null)
Dec  1 11:36:31 client su[14063]: pam_sss(su:auth): pi->newauthtok =  (null)
Dec  1 11:36:31 client su[14063]: pam_sss(su:auth): pi->pamstack_oldauthtok =
Dec  1 11:36:31 client su[14063]: pam_sss(su:auth): pi->pamstack_authtok =  q1w2e3r4t5y6
Dec  1 11:36:31 client su[14063]: pam_sss(su:auth): authentication failure; logname= uid=1000 euid=0 tty=pts/2 ruser=user rhost= user=new_new_user
Dec  1 11:36:31 client su[14063]: pam_sss(su:auth): received for user new_new_user: 12 (Маркер проверки подлинности больше недействителен; требуется новый)
Dec  1 11:36:31 client su[14063]: pam_sss(su:account): pass_group: (null), cert_group: (null)
Dec  1 11:36:31 client su[14063]: pam_sss(su:account): pi->authtok =  (null)
Dec  1 11:36:31 client su[14063]: pam_sss(su:account): pi->newauthtok =  (null)
Dec  1 11:36:31 client su[14063]: pam_sss(su:account): pi->pamstack_oldauthtok =
Dec  1 11:36:31 client su[14063]: pam_sss(su:account): pi->pamstack_authtok =
Dec  1 11:36:31 client su[14063]: pam_sss(su:account): User info message: Password expired. Change your password now.
Dec  1 11:36:31 client su[14063]: my_custom_pam(su:chauthtok): [DEBUG] Debug: 1, Slot: 1
Dec  1 11:36:31 client su[14063]: my_custom_pam(su:chauthtok): PRELIM
Dec  1 11:36:31 client su[14063]: my_custom_pam(su:chauthtok): EXPIRED
Dec  1 11:36:31 client su[14063]: my_custom_pam(su:chauthtok): PAM_SUCCESS
Dec  1 11:36:31 client su[14063]: pam_sss(su:chauthtok): pi->authtok =  (null)
Dec  1 11:36:31 client su[14063]: pam_sss(su:chauthtok): pi->newauthtok =  (null)
Dec  1 11:36:31 client su[14063]: pam_sss(su:chauthtok): pi->pamstack_oldauthtok =  q1w2e3r4t5y6
Dec  1 11:36:31 client su[14063]: pam_sss(su:chauthtok): pi->pamstack_authtok =  q1w2e3r4t5y6
Dec  1 11:36:31 client su[14063]: pam_sss(su:chauthtok): User info message: Password change failed. Server message: Old password not accepted.
Dec  1 11:36:31 client su[14063]: pam_sss(su:chauthtok): Authentication failed for user new_new_user: 4 (Системная ошибка)_

Here I removed "use_first_pass" parameter from config.

In this case i enter the current password manually but the new password is gotten automatically.

_Dec  1 11:40:28 client su[14097]: my_custom_pam(su:auth): [DEBUG] Debug: 1, Slot: 1
Dec  1 11:40:28 client su[14097]: my_custom_pam(su:auth): PAM_SUCCESS
...
Dec  1 11:40:28 client su[14097]: pam_sss(su:auth): pi->authtok =  (null)
Dec  1 11:40:28 client su[14097]: pam_sss(su:auth): pi->newauthtok =  (null)
Dec  1 11:40:28 client su[14097]: pam_sss(su:auth): pi->pamstack_oldauthtok =
Dec  1 11:40:28 client su[14097]: pam_sss(su:auth): pi->pamstack_authtok =  q1w2e3r4t5y6
Dec  1 11:40:28 client su[14097]: pam_sss(su:auth): authentication failure; logname= uid=1000 euid=0 tty=pts/2 ruser=user rhost= user=new_new_user
Dec  1 11:40:28 client su[14097]: pam_sss(su:auth): received for user new_new_user: 12 (Маркер проверки подлинности больше недействителен; требуется новый)
Dec  1 11:40:28 client su[14097]: pam_sss(su:account): pass_group: (null), cert_group: (null)
Dec  1 11:40:28 client su[14097]: pam_sss(su:account): pi->authtok =  (null)
Dec  1 11:40:28 client su[14097]: pam_sss(su:account): pi->newauthtok =  (null)
Dec  1 11:40:28 client su[14097]: pam_sss(su:account): pi->pamstack_oldauthtok =
Dec  1 11:40:28 client su[14097]: pam_sss(su:account): pi->pamstack_authtok =
Dec  1 11:40:28 client su[14097]: pam_sss(su:account): User info message: Password expired. Change your password now.
Dec  1 11:40:28 client su[14097]: my_custom_pam(su:chauthtok): [DEBUG] Debug: 1, Slot: 1
Dec  1 11:40:28 client su[14097]: my_custom_pam(su:chauthtok): PRELIM
Dec  1 11:40:28 client su[14097]: my_custom_pam(su:chauthtok): EXPIRED
Dec  1 11:40:28 client su[14097]: my_custom_pam(su:chauthtok): PAM_SUCCESS
...
Dec  1 11:40:28 client su[14097]: pam_sss(su:chauthtok): pi->authtok =  (null)
Dec  1 11:40:28 client su[14097]: pam_sss(su:chauthtok): pi->newauthtok =  (null)
Dec  1 11:40:28 client su[14097]: pam_sss(su:chauthtok): pi->pamstack_oldauthtok =  q1w2e3r4t5y6
Dec  1 11:40:28 client su[14097]: pam_sss(su:chauthtok): pi->pamstack_authtok =  q1w2e3r4t5y6
Dec  1 11:40:33 client su[14097]: my_custom_pam(su:chauthtok): [DEBUG] Debug: 1, Slot: 1
Dec  1 11:40:33 client su[14097]: my_custom_pam(su:chauthtok): UPDATE
Dec  1 11:40:33 client su[14097]: my_custom_pam(su:chauthtok): EXPIRED
Dec  1 11:40:33 client su[14097]: my_custom_pam(su:chauthtok): PAM_SUCCESS
Dec  1 11:40:33 client su[14097]: pam_sss(su:chauthtok): pass_group: (null), cert_group: (null)
Dec  1 11:40:33 client su[14097]: pam_sss(su:chauthtok): pi->authtok =  (null)
Dec  1 11:40:33 client su[14097]: pam_sss(su:chauthtok): pi->newauthtok =  (null)
Dec  1 11:40:33 client su[14097]: pam_sss(su:chauthtok): pi->pamstack_oldauthtok =  q1w2e3r4t5y6
Dec  1 11:40:33 client su[14097]: pam_sss(su:chauthtok): pi->pamstack_authtok =  q1w2e3r4t5y6
Dec  1 11:40:33 client su[14097]: pam_sss(su:setcred): pass_group: (null), cert_group: (null)
Dec  1 11:40:33 client su[14097]: pam_sss(su:setcred): pi->authtok =  (null)
Dec  1 11:40:33 client su[14097]: pam_sss(su:setcred): pi->newauthtok =  (null)
Dec  1 11:40:33 client su[14097]: pam_sss(su:setcred): pi->pamstack_oldauthtok =
Dec  1 11:40:33 client su[14097]: pam_sss(su:setcred): pi->pamstack_authtok =
Dec  1 11:40:33 client su[14097]: pam_unix(su:session): session opened for user new_new_user by (uid=1000)
Dec  1 11:40:33 client su[14097]: pam_sss(su:session): pass_group: (null), cert_group: (null)
Dec  1 11:40:33 client su[14097]: pam_sss(su:session): pi->authtok =  (null)
Dec  1 11:40:33 client su[14097]: pam_sss(su:session): pi->newauthtok =  (null)
Dec  1 11:40:33 client su[14097]: pam_sss(su:session): pi->pamstack_oldauthtok =
Dec  1 11:40:33 client su[14097]: pam_sss(su:session): pi->pamstack_authtok =
Dec  1 11:43:06 client su[14111]: pam_unix(su:session): session opened for user user by (uid=1639200014)
Dec  1 11:43:06 client su[14111]: pam_sss(su:session): pass_group: (null), cert_group: (null)
Dec  1 11:43:06 client su[14111]: pam_sss(su:session): pi->authtok =  (null)
Dec  1 11:43:06 client su[14111]: pam_sss(su:session): pi->newauthtok =  (null)
Dec  1 11:43:06 client su[14111]: pam_sss(su:session): pi->pamstack_oldauthtok =
Dec  1 11:43:06 client su[14111]: pam_sss(su:session): pi->pamstack_authtok =_

@enot586
Copy link
Author

enot586 commented Dec 1, 2020

i belive that pi.authtok should be initialized by PAM_OLDAUTHTOK in get_authtok_for_password_change() when use_first_pass is set in pam configuration

@sumit-bose
Copy link
Contributor

Hi,

thanks for the analysis. You might be right, but I have to figure out how the PAM variables are set in a typical setup where pam_pwquality and pam_unix are called before pam_sss. I thought that the old password in this case was already request by one of the other modules as well, as it is in your case. But I might be wrong.

bye,
Sumit

@alexey-tikhonov
Copy link
Member

@ikerexxe, could you please take a look?

@ikerexxe
Copy link
Contributor

I'll take a look at it in the following days

@ikerexxe
Copy link
Contributor

The scenario explained in this ticket fails as if no password was stacked. Currently, sssd (v2.9.1) requests to enter the old password always.

If I set use_authtok instead of use_first_pass, which tries to use the old password, and if no old password is provided then it asks for the old password not the new one. https://github.com/SSSD/sssd/blob/master/src/sss_client/pam_sss.c#L2731 seems to be the reason for that.

@sumit-bose since pam_cracklib was replaced by pam_pwquality, is that part of the code still valid?

@sumit-bose
Copy link
Contributor

Hi,

thanks for looking into this. I guess in the PAM_PRELIM_CHECK case the handling of use_first_pass, i.e. copy pamstack_oldauthtok, is missing. I haven't looked at the code but maybe pam_cracklib didn't ask for the old password and only checked the new one while pam_pwquality asks for the old one as well. Nevertheless we should try to make sure that both variants are working as expected.

bye,
Sumit

lo1ol added a commit to lo1ol/sssd that referenced this issue Nov 17, 2023
…HECK

COMPONENT: pam_sss

pam_sss ignored old authtoks passed from another pam modules

Resolves: SSSD#7007
Resolves: SSSD#5418
lo1ol added a commit to lo1ol/sssd that referenced this issue Nov 21, 2023
…HECK

COMPONENT: pam_sss

pam_sss ignored old authtoks passed from another pam modules

Resolves: SSSD#7007
Resolves: SSSD#5418
pbrezina pushed a commit to lo1ol/sssd that referenced this issue Nov 28, 2023
…_PRELIM_CHECK

pam_sss ignored old authtoks passed from another pam modules

Resolves: SSSD#7007
Resolves: SSSD#5418
@pbrezina
Copy link
Member

Pushed PR: #7026

  • master
    • ae6b916 - pam_sss: fix passthrow of old authtok from another pam modules at PAM_PRELIM_CHECK

@pbrezina pbrezina added the Closed: Fixed Issue was closed as fixed. label Nov 28, 2023
alexey-tikhonov pushed a commit to alexey-tikhonov/sssd that referenced this issue Jul 18, 2024
…_PRELIM_CHECK

pam_sss ignored old authtoks passed from another pam modules

Resolves: SSSD#7007
Resolves: SSSD#5418

Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit ae6b916)
alexey-tikhonov pushed a commit that referenced this issue Jul 19, 2024
…_PRELIM_CHECK

pam_sss ignored old authtoks passed from another pam modules

Resolves: #7007
Resolves: #5418

Reviewed-by: Iker Pedrosa <ipedrosa@redhat.com>
Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit ae6b916)

Reviewed-by: Sumit Bose <sbose@redhat.com>
@alexey-tikhonov
Copy link
Member

Pushed PR: #7500

  • sssd-2-9
    • 2a50bc1 - ci deps: do not use -- to denote positional arguments anymore
    • 4242356 - tests: updating makefile.am to include tests
    • 7e76396 - pam_sss: add missing optional 2nd factor handling
    • ef375cd - krb5_child: do not try passwords with OTP
    • 39cbb8d - pam_sss: fix passthrow of old authtok from another pam modules at PAM_PRELIM_CHECK

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Closed: Fixed Issue was closed as fixed. Future work
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants