| 2012-03-12 08:00:10 |
urusha |
bug |
|
|
added bug |
| 2012-03-12 08:40:44 |
urusha |
tags |
exired gnome-screensaver kerberos pam |
expired gnome-screensaver kerberos pam |
|
| 2012-03-12 11:52:30 |
Marc Deslauriers |
bug watch added |
|
https://bugzilla.gnome.org/show_bug.cgi?id=648875 |
|
| 2012-03-12 11:52:30 |
Marc Deslauriers |
bug task added |
|
gnome-screensaver |
|
| 2012-03-12 11:52:38 |
Marc Deslauriers |
gnome-screensaver (Ubuntu): status |
New |
Confirmed |
|
| 2012-03-12 19:34:12 |
Bug Watch Updater |
gnome-screensaver: status |
Unknown |
New |
|
| 2012-03-12 19:34:12 |
Bug Watch Updater |
gnome-screensaver: importance |
Unknown |
Medium |
|
| 2012-11-29 10:57:19 |
urusha |
attachment added |
|
precise debdiff https://bugs.launchpad.net/ubuntu/+source/gnome-screensaver/+bug/952771/+attachment/3446688/+files/gnome-screensaver-precise.patch |
|
| 2012-11-29 12:19:17 |
Ubuntu Foundations Team Bug Bot |
tags |
expired gnome-screensaver kerberos pam |
expired gnome-screensaver kerberos pam patch |
|
| 2012-11-29 12:19:23 |
Ubuntu Foundations Team Bug Bot |
bug |
|
|
added subscriber Ubuntu Sponsors Team |
| 2012-11-30 03:29:37 |
Launchpad Janitor |
branch linked |
|
lp:~ubuntu-desktop/gnome-screensaver/ubuntu |
|
| 2012-11-30 03:31:43 |
Robert Ancell |
gnome-screensaver (Ubuntu): status |
Confirmed |
Fix Committed |
|
| 2012-11-30 03:31:45 |
Robert Ancell |
gnome-screensaver (Ubuntu): importance |
Undecided |
Medium |
|
| 2012-11-30 04:13:14 |
Launchpad Janitor |
branch linked |
|
lp:ubuntu/raring-proposed/gnome-screensaver |
|
| 2012-11-30 07:10:50 |
urusha |
attachment added |
|
precise debdiff compat https://bugs.launchpad.net/ubuntu/+source/gnome-screensaver/+bug/952771/+attachment/3447683/+files/gnome-screensaver-precise-compat.patch |
|
| 2012-11-30 11:23:23 |
Sebastien Bacher |
removed subscriber Ubuntu Sponsors Team |
|
|
|
| 2012-11-30 11:23:30 |
Sebastien Bacher |
nominated for series |
|
Ubuntu Precise |
|
| 2012-11-30 11:23:30 |
Sebastien Bacher |
bug task added |
|
gnome-screensaver (Ubuntu Precise) |
|
| 2012-11-30 11:23:40 |
Sebastien Bacher |
gnome-screensaver (Ubuntu Precise): importance |
Undecided |
Low |
|
| 2012-11-30 11:23:40 |
Sebastien Bacher |
gnome-screensaver (Ubuntu Precise): status |
New |
Triaged |
|
| 2012-11-30 14:40:58 |
urusha |
description |
Gnome Screensaver should handle expired password tokens. Currently it does
not. It just unlocks screen, so in case you're using kerberos - your credentials cache stays expired and you need to manually change your password or logout and then login again (lightdm, gdm, etc. do handle expired password tokens).
Actually, there is a mainstream bugreport with patch solving the problem, but it seems noone is interested in solving this issue:
https://bugzilla.gnome.org/show_bug.cgi?id=648875
The patch provided by Brian C. Huffman solves the issue and is compatible with today's GS behavior (it can be emulated using special pam config, see comment 9 there).
Both solutions using this patch (with and without "passwd required pam_permit.so") tested by me with oneiric's gnome-screensaver-3.2.0-ubuntu1 and work as expected.
This is really nice improvement for big corporate environments. So, It would be nice to apply this patch even if it's not in upstream
yet. |
Gnome Screensaver should handle expired password tokens. Currently it does
not. It just unlocks screen, so in case you're using kerberos - your credentials cache stays expired and you need to manually change your password or logout and then login again (lightdm, gdm, etc. do handle expired password tokens).
Actually, there is a mainstream bugreport with patch solving the problem, but it seems noone is interested in solving this issue:
https://bugzilla.gnome.org/show_bug.cgi?id=648875
The patch provided by Brian C. Huffman solves the issue and is compatible with today's GS behavior (it can be emulated using special pam config, see comment 9 there).
Both solutions using this patch (with and without "passwd required pam_permit.so") tested by me with oneiric's gnome-screensaver-3.2.0-ubuntu1 and work as expected.
[Impact]
Gnome-screensaver doesn't handle expired credentials. If user's account password must be changed (e.g. expired), when unlocking screen, gnome-screensaver doesn't suggest to change the password. This behavior rises two problems:
1) security: user can unlock screen and get access even if it's password has expired;
2) usability: if kerberos authentication is used, then credentials cache stays expired, so user can't access kerberized services until password is changed manually.
Since precise LTS is used widely in corporate environments (with krb5 auth), backporting to it would be useful.
[Test Case]
1) Configure gnome-screensaver to lock screen and require password to login (gnome-control-center -> Brightness and Lock)
2) Configure pam to use krb5/sss/winbind authentication against any KDC that supports password expiration;
3) login with normal (not expired) account (using lightdm/gdm/anotherdm);
4) mark this account's password as expired (or 'must change') somehow (depends on KDC you're using);
5) lock screen;
6) unlock screen with you password. You will not be asked to change your password;
7) try to access any kerberized service (http-proxy/samba/ssh), since credentials cache is expired - access will be denied.
[Regression Potential]
Fixing a bug with provided patch (raring) changes behavior on unlocking with expired password. If we need to save current behavior as default, then we should use new /etc/pam.d/gnome-screensaver (see comment #4 debdiff). |
|
| 2012-11-30 14:41:37 |
urusha |
description |
Gnome Screensaver should handle expired password tokens. Currently it does
not. It just unlocks screen, so in case you're using kerberos - your credentials cache stays expired and you need to manually change your password or logout and then login again (lightdm, gdm, etc. do handle expired password tokens).
Actually, there is a mainstream bugreport with patch solving the problem, but it seems noone is interested in solving this issue:
https://bugzilla.gnome.org/show_bug.cgi?id=648875
The patch provided by Brian C. Huffman solves the issue and is compatible with today's GS behavior (it can be emulated using special pam config, see comment 9 there).
Both solutions using this patch (with and without "passwd required pam_permit.so") tested by me with oneiric's gnome-screensaver-3.2.0-ubuntu1 and work as expected.
[Impact]
Gnome-screensaver doesn't handle expired credentials. If user's account password must be changed (e.g. expired), when unlocking screen, gnome-screensaver doesn't suggest to change the password. This behavior rises two problems:
1) security: user can unlock screen and get access even if it's password has expired;
2) usability: if kerberos authentication is used, then credentials cache stays expired, so user can't access kerberized services until password is changed manually.
Since precise LTS is used widely in corporate environments (with krb5 auth), backporting to it would be useful.
[Test Case]
1) Configure gnome-screensaver to lock screen and require password to login (gnome-control-center -> Brightness and Lock)
2) Configure pam to use krb5/sss/winbind authentication against any KDC that supports password expiration;
3) login with normal (not expired) account (using lightdm/gdm/anotherdm);
4) mark this account's password as expired (or 'must change') somehow (depends on KDC you're using);
5) lock screen;
6) unlock screen with you password. You will not be asked to change your password;
7) try to access any kerberized service (http-proxy/samba/ssh), since credentials cache is expired - access will be denied.
[Regression Potential]
Fixing a bug with provided patch (raring) changes behavior on unlocking with expired password. If we need to save current behavior as default, then we should use new /etc/pam.d/gnome-screensaver (see comment #4 debdiff). |
Gnome Screensaver should handle expired password tokens. Currently it does
not. It just unlocks screen, so in case you're using kerberos - your credentials cache stays expired and you need to manually change your password or logout and then login again (lightdm, gdm, etc. do handle expired password tokens).
Actually, there is a mainstream bugreport with patch solving the problem, but it seems noone is interested in solving this issue:
https://bugzilla.gnome.org/show_bug.cgi?id=648875
The patch provided by Brian C. Huffman solves the issue and is compatible with today's GS behavior (it can be emulated using special pam config, see comment 9 there).
Both solutions using this patch (with and without "passwd required pam_permit.so") tested by me with oneiric's gnome-screensaver-3.2.0-ubuntu1 and work as expected.
[Impact]
Gnome-screensaver doesn't handle expired credentials. If user's account password must be changed (e.g. expired), when unlocking screen, gnome-screensaver doesn't suggest to change the password. This behavior rises two problems:
1) security: user can unlock screen and get access even if it's password has expired;
2) usability: if kerberos authentication is used, then credentials cache stays expired, so user can't access kerberized services until password is changed manually.
Since precise LTS is used widely in corporate environments (with krb5 auth), backporting to it would be useful.
[Test Case]
1) Configure gnome-screensaver to lock screen and require password to login (gnome-control-center -> Brightness and Lock)
2) Configure pam to use krb5/sss/winbind authentication against any KDC that supports password expiration;
3) login with normal (not expired) account (using lightdm/gdm/anotherdm);
4) mark this account's password as expired (or 'must change') somehow (depends on KDC you're using);
5) lock screen;
6) unlock screen with your password. You will not be asked to change your password;
7) try to access any kerberized service (http-proxy/samba/ssh), since credentials cache is expired - access will be denied.
[Regression Potential]
Fixing a bug with provided patch (raring) changes behavior on unlocking with expired password. If we need to save current behavior as default, then we should use new /etc/pam.d/gnome-screensaver (see comment #4 debdiff). |
|
| 2012-11-30 14:48:18 |
urusha |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
| 2012-11-30 18:25:18 |
Launchpad Janitor |
gnome-screensaver (Ubuntu): status |
Fix Committed |
Fix Released |
|
| 2012-11-30 19:18:45 |
Nobuto Murata |
bug |
|
|
added subscriber Nobuto MURATA |
| 2012-12-10 17:24:38 |
urusha |
bug |
|
|
added subscriber Ubuntu Sponsors Team |
| 2012-12-12 21:28:37 |
Sebastien Bacher |
removed subscriber Ubuntu Sponsors Team |
|
|
|
| 2013-03-18 09:46:33 |
Nicola Volpini |
bug |
|
|
added subscriber Nicola Volpini |
| 2014-08-21 18:48:26 |
Bug Watch Updater |
gnome-screensaver: status |
New |
Fix Released |
|
| 2021-10-14 04:56:56 |
Steve Langasek |
gnome-screensaver (Ubuntu Precise): status |
Triaged |
Won't Fix |
|
