Password expiration warning and change prompt not working for LDAP user
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
StarlingX |
Fix Released
|
Medium
|
Reinildes Oliveira |
Bug Description
Brief Description
-------
Password warning msg is not shown when ldap user is created with 'password_
Password warning msg is
Warning: your password will expire in 1 day
Additionally, password change prompt is not shown when the password has expired.
Severity
-------
Standard
Steps to Reproduce
-------
Password about to expire warning:
Manual:
create secure inventory
~(keystone_admin)]$ ansible-vault create secure-inventory
# This will open a text editor where you can fill the inventory parameters as shown on the example below:[all:vars]
ansible_
ansible_
ansible_
systemcontroller-0 ansible_
2. create ldapuser01 with password_
Send 'ansible-playbook --verbose --inventory secure-inventory --ask-vault-pass --extra-
3. verify user is listed in openstack
Send 'openstack --os-username 'admin' --os-password 'Li69nux*' --os-project-name admin --os-auth-url http://[abcd:204:
[2022-11-07 13:49:58,311] 548 DEBUG MainThread ssh.exec_cmd:: Expecting \[.*@controller
473 DEBUG MainThread ssh.expect :: Output:
+------
| ID | Name |
+------
| 2a2af8ef02834c3
| b4b943e0598d406
| bb688a85b691496
| 335752a0f2f34d4
| ac1c1805f967479
| e29cb66f0069493
| b2f03184265b4e9
| c9e9c9c954374f9
| 6b049d804a1d418
+------
4. login as ldapuser01
ldapuser01@
WARNING: Unauthorized access to this system is forbidden and will be
prosecuted by law. By accessing this system, you agree that your
actions may be monitored if unauthorized usage is suspected.Linux controller-1 5.10.0-6-rt-amd64 #1 SMP PREEMPT_RT StarlingX Debian 5.10.112-1.stx.24 (2022-11-09 x86_64
Last login: Wed Nov 9 17:03:03 2022 from face::2
ldapuser01@
Expected Behavior
[2022-10-08 04:23:40,784] 351 DEBUG MainThread ssh.send :: Send 'ssh -l ldapuser01 -o UserKnownHostsF
[2022-10-08 04:23:40,865] 473 DEBUG MainThread ssh.expect :: Output:
The authenticity of host 'controller-1 (abcd:204::3)' can't be established.
ECDSA key fingerprint is SHA256:
ECDSA key fingerprint is MD5:90:
Are you sure you want to continue connecting (yes/no)?
[2022-10-08 04:23:40,867] 351 DEBUG MainThread ssh.send :: Send 'yes'
[2022-10-08 04:23:40,923] 473 DEBUG MainThread ssh.expect :: Output:
Warning: Permanently added 'controller-
Release 22.12
-------
W A R N I N G *** W A R N I N G *** W A R N I N G *** W A R N I N G ***
-------
THIS IS A PRIVATE COMPUTER SYSTEM.
This computer system including all related equipment, network devices
(specifically including Internet access), are provided only for authorized use.
All computer systems may be monitored for all lawful purposes, including to
ensure that their use is authorized, for management of the system, to
facilitate protection against unauthorized access, and to verify security
procedures, survivability and operational security. Monitoring includes active
attacks by authorized personnel and their entities to test or verify the
security of the system. During monitoring, information may be examined,
recorded, copied and used for authorized purposes. All information including
personal information, placed on or sent over this system may be monitored. Uses
of this system, authorized or unauthorized, constitutes consent to monitoring
of this system. Unauthorized use may subject you to criminal prosecution.
Evidence of any such unauthorized use collected during monitoring may be used
for administrative, criminal or other adverse action. Use of this system
constitutes consent to monitoring for these purposes.
ldapuser01@
[2022-10-08 04:23:40,924] 351 DEBUG MainThread ssh.send :: Send 'Li69nux*'
[2022-10-08 04:23:41,132] 473 DEBUG MainThread ssh.expect :: Output:
Warning: your password will expire in 1 day
Last login: Sat Oct 8 04:23:14 2022 from 127.0.0.1
/etc/motd.
[H[2J
WARNING: Unauthorized access to this system is forbidden and will be
prosecuted by law. By accessing this system, you agree that your
actions may be monitored if unauthorized usage is suspected.
]0;ldapuser01@
[2022-10-08 04:23:41,132] 351 DEBUG MainThread ssh.send :: Send 'exit'
[2022-10-08 04:23:41,182] 113 INFO MainThread tis_log.tc_step ::
Actual Behavior
[sysadmin@
Release 22.12
-------
W A R N I N G *** W A R N I N G *** W A R N I N G *** W A R N I N G ***
-------
THIS IS A PRIVATE COMPUTER SYSTEM.
This computer system including all related equipment, network devices
(specifically including Internet access), are provided only for authorized use.
All computer systems may be monitored for all lawful purposes, including to
ensure that their use is authorized, for management of the system, to
facilitate protection against unauthorized access, and to verify security
procedures, survivability and operational security. Monitoring includes active
attacks by authorized personnel and their entities to test or verify the
security of the system. During monitoring, information may be examined,
recorded, copied and used for authorized purposes. All information including
personal information, placed on or sent over this system may be monitored. Uses
of this system, authorized or unauthorized, constitutes consent to monitoring
of this system. Unauthorized use may subject you to criminal prosecution.
Evidence of any such unauthorized use collected during monitoring may be used
for administrative, criminal or other adverse action. Use of this system
constitutes consent to monitoring for these purposes.
ldapuser01@
WARNING: Unauthorized access to this system is forbidden and will be
prosecuted by law. By accessing this system, you agree that your
actions may be monitored if unauthorized usage is suspected.Linux controller-1 5.10.0-6-rt-amd64 #1 SMP PREEMPT_RT StarlingX Debian 5.10.112-1.stx.24 (2022-11-09 x86_64
Last login: Wed Nov 9 17:03:03 2022 from face::2
ldapuser01@
Expired password prompt not showing up:
After further analysis, it turns out that this is a bigger issue where passwords are not expiring for LDAP users.
In order to reproduce this second bug:
1) Create user with a 1 day password validity:
ldapusersetup -u ldap_user1 --sudo --secondgroup sys_protected --passmax 1 --passwarning 2
2) Now login with the user, for the first time, what should prompt a password change:
ssh ldap_user1@
3) Logout from ldap_user1
exit
4) Change os date to 3 days in the future:
sudo date -s "Tue Mar 14 06:33:37 UTC 2023" # example command
5) Now login again with the user:
ssh ldap_user1@
Expected behavior:
User should see a prompt asking them to change their passwords:
WARNING: Unauthorized access to this system is forbidden and will be
prosecuted by law. By accessing this system, you agree that your
actions may be monitored if unauthorized usage is suspected.
=======
SYSTEM: vbox
=======
Linux controller-0 5.10.0-6-amd64 #1 SMP PREEMPT StarlingX Debian 5.10.162-1.stx.31 (2023-02-07) x86_64
Last login: Tue Mar 14 21:37:21 2023 from 127.0.0.1
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for ldap_user1.
Current Password:
Actual behavior:
User is able to login:
WARNING: Unauthorized access to this system is forbidden and will be
prosecuted by law. By accessing this system, you agree that your
actions may be monitored if unauthorized usage is suspected.
=======
SYSTEM: vbox
=======
Linux controller-0 5.10.0-6-amd64 #1 SMP PREEMPT StarlingX Debian 5.10.162-1.stx.31 (2023-02-07) x86_64
Last login: Tue Mar 14 21:37:57 2023 from 127.0.0.1
ldap_user1@
Reproducibility
-------
Reproducible
Last Pass
-------
Never PASS on Debian.
Alarms
-------
NA
Test Activity
-------
Regression Testing
Workaround
-------
Describe workaround if available
Changed in starlingx: | |
assignee: | nobody → Reinildes Oliveira (rjosemat) |
Changed in starlingx: | |
status: | New → In Progress |
Changed in starlingx: | |
importance: | Undecided → Medium |
tags: | added: stx.security |
tags: | added: stx.9.0 |
Reviewed: https:/ /review. opendev. org/c/starlingx /config- files/+ /874104 /opendev. org/starlingx/ config- files/commit/ 13d31e81845593e 3c3a4548fc5088c 631105f00b
Committed: https:/
Submitter: "Zuul (22348)"
Branch: master
commit 13d31e81845593e 3c3a4548fc5088c 631105f00b
Author: Rei Oliveira <email address hidden>
Date: Thu Feb 16 11:48:57 2023 -0300
Fix password expiration for local openldap users
There is an issue with debian SSSD package and the password expiration
message and change prompt are not showing up when expected.
This change adds a custom shell script that will use the last password
modification date from ldap and the expected shadowWarning and
shadowMax configured for the user to tell when to show password
expiration warning and when to ask the user to change their passwords.
This commit addresses only local openldap users as this is more
critical, since AD users will be warned and have their password
expiration handled externally by their organization. Further work to
include AD users in this script in under investigation.
Test plan:
PASS: 1) Create ldap user with 'ldapusersetup -u ldap_user1 --sudo
--secondgrou p sys_protected --passmax 1 --passwarning 2',
login with user and verify the first time passwrod change prompt
is shown.
PASS: 2) After test #1, exit and login back again with user ldap_user1
and verify after login msg 'Warning: The password for ldap_user1
will expire in 1 day.' is shown.
PASS: 3) After test #1, logout ldap_user1 and change the system's date
to 1 day in the future. Login back with ldap_user1 and verify
that after login msg 'Warning: The password for ldap_user1 will
expire in 0 day.' is shown.
PASS: 4) After test #3, logout ldap_user1 and change the system's date
to 1 day in the future. Login back with ldap_user1 and verify
that the system will print a msg 'WARNING: Your password has
expired.' and will prompt users to change their passwords.
Closes-Bug: 2008501
Change-Id: I609f54fca11bf8 747a6fb306343e7 0039ac9686a
Signed-off-by: Rei Oliveira <email address hidden>