Bug 5028 - Web Access authentication does not handle expired password pam prompts
Summary: Web Access authentication does not handle expired password pam prompts
Status: CLOSED FIXED
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Web Access (show other bugs)
Version: trunk
Hardware: PC Unknown
: P2 Normal
Target Milestone: 4.10.0
Assignee: Pierre Ossman
URL:
Keywords: hean01_tester, relnotes
Depends on: 5086
Blocks:
  Show dependency treegraph
 
Reported: 2014-03-19 14:44 CET by Henrik Andersson
Modified: 2018-08-13 13:35 CEST (History)
1 user (show)

See Also:
Acceptance Criteria:
* Users should be able to go through with the password change process when their password is expired


Attachments
Call pam_chauthtok if necessary (737 bytes, patch)
2016-02-29 08:25 CET, Peter Åstrand
Details | Diff

Description Henrik Andersson cendio 2014-03-19 14:44:04 CET
Trying to login using an account with expired password gives me following response:

You are required to change your password immediately (root enforced)

Username: [cendio     ]
Password: [           ]


From there I can choose to login using another user.
Comment 1 Henrik Andersson cendio 2014-03-19 15:03:08 CET
Also tested against 4.1.1 and it is not a regression.
Comment 2 Peter Åstrand cendio 2014-03-31 11:34:59 CEST
More information is needed: which platform is this? What kind of sshd configuration do you have? 

I failed to setup my CentOS 6 machine to support this. I configured the account as:

# chage astrand3
Changing the aging information for astrand3
Enter the new value, or press ENTER for the default

	Minimum Password Age [0]: 
	Maximum Password Age [365]: 180
	Last Password Change (YYYY-MM-DD) [2013-06-01]: 2013-06-01
	Password Expiration Warning [180]: 10
	Password Inactive [180]: 10
	Account Expiration Date (YYYY-MM-DD) [2014-06-01]: 2014-06-01

Ran authconfig-gtk to get a sane configuration. Then, trying to login:

$ ssh astrand3@scilla
Password: 
Your account has expired; please contact your system administrator

astrand3@scilla's password: 
Connection closed by 10.47.1.211
Comment 3 Henrik Andersson cendio 2014-03-31 15:00:51 CEST
(In reply to comment #2)
> More information is needed: which platform is this? What kind of sshd
> configuration do you have? 
>

Produced on a Centos 6 system default installation (SELinux enabled).
- Configured PasswordAuthentication=no (sshd_config) to disable passwd support in sshd so that it is passed further to pam.

- Disable the user account: chage -d 0 <user>

I believe that the extra message 

'You are required to change your password immediately (root enforced)'

is the source to the problem, before the actual password prompt.
Comment 4 Peter Åstrand cendio 2014-04-01 14:50:25 CEST
The code works as intended, but currently there's no support for interactive PAM conversations except in the "authentication" step. As I understand it, the "pamtester" helper does not support this either.
Comment 6 Peter Åstrand cendio 2016-02-29 08:25:58 CET
Created attachment 676 [details]
Call pam_chauthtok if necessary

With the attached, password change via the HTML5 client is possible. Still some
rough edges, though: Needs to login again after change, plus some info lines
are missing.
Comment 8 Pierre Ossman cendio 2016-08-17 10:49:21 CEST
Note that the discussion on this bug so far has been about enforced password change. There is also the case where you merely get a warning. In that case the attached patch does not solve the issue.

Example configuration to get the warning:

[ossman@ossman]$ sudo chage tltest
[sudo] password for ossman: 
Changing the aging information for tltest
Enter the new value, or press ENTER for the default

	Minimum Password Age [0]: 
	Maximum Password Age [99999]: 30
	Last Password Change (YYYY-MM-DD) [2015-11-27]: 2016-08-01
	Password Expiration Warning [7]: 20
	Password Inactive [-1]: 
	Account Expiration Date (YYYY-MM-DD) [-1]: 

~
[ossman@ossman]$ ssh tltest@localhost
tltest@localhost's password: 
Warning: your password will expire in 14 days
Last login: Mon Apr 25 11:02:45 2016 from ::1
[tltest@ossman ~]$ logout
Connection to localhost closed.
Comment 9 Pierre Ossman cendio 2016-08-17 11:00:21 CEST
This is the error from tlwebaccess:

2016-08-17 10:43:51 ERROR tlwebaccess[19882]: [::1] Error communicating with PAM subsystem for user u'tltest': [Errno 6] No such device or address: '/var/run/thinlinc/webaccess/pamtester-1ba19c908cd40188d76dbb6841d8a073fdfadb15.in'

And this is how pamtester behaves:

$ sudo ./src/pamtester --echofirst -v thinlinc tltest authenticate acct_mgmt
[sudo] password for ossman: 
Sorry, try again.
[sudo] password for ossman: 
pamtester: invoking pam_start(thinlinc, tltest, ...)
pamtester: performing operation - authenticate
Password: 
pamtester: successfully authenticated:linux99
pamtester: performing operation - acct_mgmt
Warning: your password will expire in 14 days
pamtester: account management done.

So this is probably related to bug 5086 where we discuss the problem handling messages.
Comment 16 Henrik Andersson cendio 2018-08-13 12:52:02 CEST
- Verified the code and that release notes looks good

- Verified that I could change an expired password using
  Web Access and prompts during login.
Comment 17 Henrik Andersson cendio 2018-08-13 13:35:00 CEST
(In reply to comment #16)

> - Verified that I could change an expired password using
>   Web Access and prompts during login.

This test was verified using local unix accounts.

I also verified change password using a system with Active Directory connected SSSD by checking "User must change password on next logon" on a user in AD, which worked as expected.

Note You need to log in before you can comment on or make changes to this bug.