Password is ignored on local login, even for root

Bug #526999 reported by Fabio on 2010-02-24
This bug affects 1 person
Affects Status Importance Assigned to Milestone
auth-client-config (Ubuntu)

Bug Description

Binary package hint: auth-client-config


  I've installed "Ubuntu Server 9.10" + "Openssh Server" + "Kerberos" +"auth-client-config" (full list in attached "instalados.lis") with all updates.

If I make :

    # auth-client-config -a -p kerberos_example

  You dont need anymore password to logon locally, root included !!!!!!
  Only press "Return" on "Password:" prompt
  Kerberos running or not, configurated or not
  You can remove and problem is the same

  I can reset this with :
    #auth-client-config -a -p kerberos_example -r

  Another symptom, not cleared yet, may be related, message on /var/log/messages

.....login[1236]: Libgcrypt warning: missing initialization - please fix the application

Fabio (fabiop-fea) wrote :
security vulnerability: yes → no
visibility: private → public
Changed in auth-client-config (Ubuntu):
assignee: nobody → Jamie Strandboge (jdstrand)

This bug affects me. To work around it, I do the following:

- Run sudo auth-client-config -a -p kerberos_example
- Change /etc/pam.d/common-auth to use the attached file.
- Create /etc/pam.d/substack-kerberos-unix based on the attached file.

These files are under GPL v2 of the License, or (at your option) any later version.

Note that it is essential to not simply drop substack-kerberos-unix into common-auth as this prevents later authentication modules from running (which, e.g., sshd relies on).

These files (or something similar) should be integrated into /etc/auth-client-config/profile.d/acc-default .

The file attached to comment #2 is the incorrect version of the file (that is the bad version created by auth-client-config). Use the version attached to comment #3.

security vulnerability: no → yes
Jamie Strandboge (jdstrand) wrote :

This is not a security vulnerability as the file you are using is an example and not intended for production use. It says right in the profile /etc/auth-client-config/profile.d/acc-default:
# this example is for using kerberos to authenticate. Has been used with
# nss-updatedb, libpam-krb5 and libpam-ccreds. Sould also work with
# libpam-heimdal. This is only an example, and you may have to create
# your own profiles to authenticate with your system.

I will verify that the example works as intended.

security vulnerability: yes → no
Changed in auth-client-config (Ubuntu):
importance: Undecided → Low
Changed in auth-client-config (Ubuntu):
assignee: Jamie Strandboge (jdstrand) → nobody
status: New → Invalid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers