lightdm ask ldap administrator password when changing an expired password

Bug #1270118 reported by Gabriel on 2014-01-17
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Light Display Manager
Medium
Robert Ancell
1.2
Medium
Robert Ancell
1.4
Medium
Robert Ancell
1.8
Medium
Robert Ancell
lightdm (Debian)
Fix Released
Unknown
lightdm (Ubuntu)
Medium
Bartosz Kosiorek
Precise
Medium
Bartosz Kosiorek
Saucy
Medium
Unassigned

Bug Description

[Impact]
LightDM does not correctly use PAM to change users passwords when they expire. This causes some PAM modules (e.g. pam_ldap) to not correctly perform password changing.

[Test Case]
1. Setup LDAP logins
2. Expire users password
3. Attempt to log into greeter
Expected result:
- User is prompted to change password. Password limitations are correctly enforced.
Observed result:
- User is prompted to change password. Password limitations are not correctly enforced.

[Regression Potential]
Any PAM module that relied on the previous incorrect behaviour might behave differently. It is not expected that any module would intentionally do this.

Related branches

Gabriel (pecheatwork) on 2014-01-17
tags: added: ldap
Giulio Turetta (giulio-9) wrote :

Hi, I confirm this issue (also in trunk).

It's apparently due to an "improper" use of flags in pam_chauthtok call (session-child.c:337).

Because lightdm calls pam_chauthtok after a positive check on PAM_NEW_AUTHTOK_REQD (from man page "The user account is valid but their authentication token is expired") it should pass the PAM_CHANGE_EXPIRED_AUTHTOK flag (from man page "This argument indicates to the modules that the users authentication token (password) should only be changed if it has expired").
gdm3 uses the flag correctly (gdm-session-worker.c:1291).

Without the flag "the application requires that all authentication tokens are to be changed" (pam man) so you need to provide the LDAP admin credentials.

To solve simply change the line about chauthok in session-child.c (line 291 for lightdm-1.2.2 of wheezy) from

authentication_result = pam_chauthtok (pam_handle, 0 );

to

authentication_result = pam_chauthtok (pam_handle, PAM_CHANGE_EXPIRED_AUTHTOK );

If you want to patch the Debian Wheezy package:
1) download lightdm debian source package: apt-get source lightdm
2) go to the source folder lightdm-1.2.2/src and edit session-child.c as suggested
3) step-back to the lightdm-1.2.2 folder and run dpkg-buildpackage -rfakeroot -uc -b (dpkg-buildpackage may require some packages to proceed, it lists the required packages, install these with apt-get install <package-list>)
4) if dpkg-buildpackage completes without errors you have your lightdm_1.2.2-4_i386.deb (step-back to the initial folder)
5) stop lightdm (invoke-rc.d lightdm stop) and remove it (apt-get remove lightdm)
6) install your lightdm package (dpkg -i lightdm_1.2.2-4_i386.deb) and start it (invoke-rc.d lightdm start)

That should be fixed because as it is no one can use lightdm with ldap when a periodic password change is required.

Gabriel (pecheatwork) on 2014-01-22
Changed in lightdm:
status: New → Confirmed
Gabriel (pecheatwork) on 2014-01-22
information type: Public → Private
Changed in lightdm (Debian):
status: Unknown → Confirmed
Giulio Turetta (giulio-9) wrote :

Please note that this bug causes other problems that affect also the default configuration (pam_unix).
For example on pam_unix the missing flag (PAM_CHANGE_EXPIRED_AUTHTOK) causes the setting of another pam flag UNIX__IAMROOT [1] which cause other unexpected behaviours [2].

You can verify this on Wheezy:
1) install lightdm
2) create a new test user (call it "giulio", set password "giulio")
# adduser giulio
3) login with giulio and try to change the account password
giulio$ passwd
try to use the password "t", it fails because it's too short
try to use the password "turetta", it fails because it's too simple
password change succeeds only with an (almost) secret password like "tuREtt4"
3) now expire giulio's password
# chage -d 0 giulio
4) try to login by lightdm, current password is "tuREtt4"
5) login succeeds but you will be asked to insert a new password, insert "t"
6) giulio's password is now "t"! Ouch!!!!
7) now, expire the password again and try to change it to "a" by a login with gdm3 (ssh, console, ...): the right policies will be enforced

Note, about pam_unix, that this bug also breaks the "remember" pam_unix policy.

I think that this bug probably impacts most of the pam modules and so it must be considered an important security issue (security policies are not enforced).

I'm performing further checks...

[1] from Wheezy pam source: /pam-1.1.3/modules/pam_unix/support.c:68
if (getuid() == 0 && !(flags & PAM_CHANGE_EXPIRED_AUTHTOK)) {
  D(("IAMROOT"));
  set(UNIX__IAMROOT, ctrl);
}

[2] from Wheezy pam source: /pam-1.1.3/modules/pam_unix/pam_unix_passwd.c:491
if (off(UNIX__IAMROOT, ctrl)) {
  if (strlen(pass_new) < pass_min_len)
    remark = _("You must choose a longer password");
  D(("length check [%s]", remark));
  if (on(UNIX_REMEMBER_PASSWD, ctrl)) {
    if ((retval = check_old_password(user, pass_new)) == PAM_AUTHTOK_ERR)
      remark = _("Password has been already used. Choose another.");
    if (retval == PAM_ABORT) {
      pam_syslog(pamh, LOG_ERR, "can't open %s file to check old passwords",
                                        OLD_PASSWORDS_FILE);
      return retval;
    }
  }
}

Changed in lightdm:
assignee: nobody → Robert Ancell (robert-ancell)
Changed in lightdm (Debian):
status: Confirmed → Fix Released
Changed in lightdm (Ubuntu):
status: New → Triaged
importance: Undecided → Medium
Changed in lightdm:
importance: Undecided → Medium
status: Confirmed → Triaged
information type: Private → Public
Changed in lightdm (Ubuntu Precise):
importance: Undecided → Medium
Changed in lightdm (Ubuntu Saucy):
status: New → Triaged
importance: Undecided → Medium
Changed in lightdm (Ubuntu Precise):
status: New → Triaged
Gabriel (pecheatwork) on 2014-02-06
information type: Public → Private
Changed in lightdm:
milestone: none → 1.9.7
PS Jenkins bot (ps-jenkins) wrote :

Fix committed into lp:lightdm at revision None, scheduled for release in lightdm, milestone Unknown

Changed in lightdm:
status: Triaged → Fix Committed
Changed in lightdm (Ubuntu Precise):
assignee: nobody → Robert Ancell (robert-ancell)
status: Triaged → In Progress
Robert Ancell (robert-ancell) wrote :

Marking as public as the change was released into Debian, in LightDM releases and is in public branches.

description: updated
information type: Private → Public
Changed in lightdm:
status: Fix Committed → Fix Released
Changed in lightdm (Ubuntu):
status: Triaged → In Progress
assignee: nobody → Robert Ancell (robert-ancell)

The attachment "patch file for Wheezy" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm - 1.9.7-0ubuntu1

---------------
lightdm (1.9.7-0ubuntu1) trusty; urgency=medium

  * New upstream release:
    - Correctly invoke PAM to change authentication token. (LP: #1270118)
    - Make xdg-seat a core property of a seat and always pass it to X servers.
    - Qt bindings: properly hand over prompt and message type.
    - Add warning flags where they are missing and fix the resulting warnings.
 -- Robert Ancell <email address hidden> Fri, 07 Feb 2014 15:40:20 +0000

Changed in lightdm (Ubuntu):
status: In Progress → Fix Released

Hello Gabriel, or anyone else affected,

Accepted lightdm into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/lightdm/1.2.3-0ubuntu2.5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in lightdm (Ubuntu Precise):
status: In Progress → Fix Committed
tags: added: verification-needed
Bartosz Kosiorek (gang65) wrote :

After installing the patch, It is working for me core correctly (Precise)

tags: added: verification-done
removed: verification-needed
Changed in lightdm (Ubuntu Precise):
assignee: Robert Ancell (robert-ancell) → Bartosz Kosiorek (gang65)
Changed in lightdm (Ubuntu):
assignee: Robert Ancell (robert-ancell) → Bartosz Kosiorek (gang65)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lightdm - 1.2.3-0ubuntu2.5

---------------
lightdm (1.2.3-0ubuntu2.5) precise; urgency=medium

  * debian/patches/08_chauthtok.patch:
    - Correctly invoke PAM to change authentication token (LP: #1270118)
 -- Robert Ancell <email address hidden> Tue, 01 Apr 2014 16:03:51 +1300

Changed in lightdm (Ubuntu Precise):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for lightdm has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Rolf Leggewie (r0lf) wrote :

saucy has seen the end of its life and is no longer receiving any updates. Marking the saucy task for this ticket as "Won't Fix".

Changed in lightdm (Ubuntu Saucy):
status: Triaged → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.