Ubuntu
auth-client-config package

Password is ignored on local login, even for root

Bug #526999 reported by Fabio
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
auth-client-config (Ubuntu)
Invalid
Low
Unassigned

Bug Description

Binary package hint: auth-client-config

Hi

  I've installed "Ubuntu Server 9.10" + "Openssh Server" + "Kerberos" +"auth-client-config" (full list in attached "instalados.lis") with all updates.

If I make :

    # auth-client-config -a -p kerberos_example

  You dont need anymore password to logon locally, root included !!!!!!
  Only press "Return" on "Password:" prompt
  Kerberos running or not, configurated or not
  You can remove pam_krb5.so and problem is the same

  I can reset this with :
    #auth-client-config -a -p kerberos_example -r

  Another symptom, not cleared yet, may be related, message on /var/log/messages

.....login[1236]: Libgcrypt warning: missing initialization - please fix the application

Revision history for this message
Fabio (fabiop-fea) wrote :
Jamie Strandboge (jdstrand)
security vulnerability: yes → no
visibility: private → public
Jamie Strandboge (jdstrand)
Changed in auth-client-config (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)
Revision history for this message
Neal H. Walfield (neal-walfield) wrote :

This bug affects me. To work around it, I do the following:

- Run sudo auth-client-config -a -p kerberos_example
- Change /etc/pam.d/common-auth to use the attached file.
- Create /etc/pam.d/substack-kerberos-unix based on the attached file.

These files are under GPL v2 of the License, or (at your option) any later version.

Note that it is essential to not simply drop substack-kerberos-unix into common-auth as this prevents later authentication modules from running (which, e.g., sshd relies on).

These files (or something similar) should be integrated into /etc/auth-client-config/profile.d/acc-default .

Revision history for this message
Neal H. Walfield (neal-walfield) wrote :
Revision history for this message
Neal H. Walfield (neal-walfield) wrote :
Revision history for this message
Neal H. Walfield (neal-walfield) wrote :

The file attached to comment #2 is the incorrect version of the file (that is the bad version created by auth-client-config). Use the version attached to comment #3.

security vulnerability: no → yes
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This is not a security vulnerability as the file you are using is an example and not intended for production use. It says right in the profile /etc/auth-client-config/profile.d/acc-default:
#
# this example is for using kerberos to authenticate. Has been used with
# nss-updatedb, libpam-krb5 and libpam-ccreds. Sould also work with
# libpam-heimdal. This is only an example, and you may have to create
# your own profiles to authenticate with your system.
#
[kerberos_example]
...

I will verify that the example works as intended.

security vulnerability: yes → no
Changed in auth-client-config (Ubuntu):
importance: Undecided → Low
Jamie Strandboge (jdstrand)
Changed in auth-client-config (Ubuntu):
assignee: Jamie Strandboge (jdstrand) → nobody
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.