reassign 683141 kdm retitle 683141 user can successfully authenticate with expired password thanks
Olivier Diotte <vhannserv...@gmail.com> writes: > Package: libpam-krb5 > Version: 4.3-1 > Severity: normal > Seems related to https://bugzilla.redhat.com/show_bug.cgi?id=509092 . libpam-krb5 in Debian has nothing to do with the Red Hat module. The bug described there appears to have been an attempt to implement password expiration properly according to the PAM standard, which indeed one should not do by default because it breaks applications that do not follow the fully-correct PAM expired password handling (which is complex, strange, and not widely used). That's why Debian's libpam-krb5 has never done that and instead allows the Kerberos library to prompt for an expired password immediately or, failing that, returns a hard error. The behavior described in that bug requires using non-standard PAM options in Debian that have documented warnings in the manual. > When password is non-expired, everything works correctly. > When I expire the Kerberos password on the KDC, > I can still 'su - user' from the console and get asked for a new > password. However, when I log in from KDM (on Squeeze), I get a pop-up > telling me my password is expired. After hitting 'OK', the window > disappears and I get to the desktop. Subsequent logins will work with the > old password and won't get the pop-up. If you get a pop-up saying that your password is expired, I think that means that the PAM module is working properly and returning an expired password error rather than success to the calling application. Behavior after that point is up to KDM, which gets a PAM_NEW_AUTHTOK_REQD return status from the auth group (although if it provides a prompting function, it should never get that far, since the Kerberos library will attempt to change the password immediately and prompt). Reassigning on that basis, although I'm happy to take a look if further investigation reveals an unexpected return from the PAM module. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
