[Pkg-xfce-devel] Bug#735670: Bug#735670: lightdm ask ldap administrator password when changing a password expired

Giulio Turetta giulio at sviluppoweb.eu
Fri Jan 24 11:31:36 UTC 2014 

Please note that this bug causes other problems that affect also the
default configuration (pam_unix).
For example on pam_unix the missing flag (PAM_CHANGE_EXPIRED_AUTHTOK)
causes the setting of another pam flag UNIX__IAMROOT [1] which cause
other unexpected behaviours [2].

You can verify this on Wheezy:
1) install lightdm
2) create a new test user (call it "giulio", set password "giulio")
# adduser giulio
3) login with giulio and try to change the account password
giulio$ passwd
try to use the password "t", it fails because it's too short
try to use the password "turetta", it fails because it's too simple
password change succeeds only with an (almost) secret password like
"tuREtt4"
3) now expire giulio's password
# chage -d 0 giulio
4) try to login by lightdm, current password is "tuREtt4"
5) login succeeds but you will be asked to insert a new password, insert "t"
6) giulio's password is now "t"! Ouch!!!!
7) now, expire the password again and try to change it to "a" by a login
with gdm3 (ssh, console, ...): the right policies will be enforced

Note, about pam_unix, that this bug also breaks the "remember" pam_unix
policy.

I think that this bug probably impacts most of the pam modules and so it
must be considered an important security issue (security policies are
not enforced).

I'm performing further checks...

[1] from Wheezy pam source: /pam-1.1.3/modules/pam_unix/support.c:68
if (getuid() == 0 && !(flags & PAM_CHANGE_EXPIRED_AUTHTOK)) {
  D(("IAMROOT"));
  set(UNIX__IAMROOT, ctrl);
}

[2] from Wheezy pam source:
/pam-1.1.3/modules/pam_unix/pam_unix_passwd.c:491
if (off(UNIX__IAMROOT, ctrl)) {
  if (strlen(pass_new) < pass_min_len)
    remark = _("You must choose a longer password");
  D(("length check [%s]", remark));
  if (on(UNIX_REMEMBER_PASSWD, ctrl)) {
    if ((retval = check_old_password(user, pass_new)) == PAM_AUTHTOK_ERR)
      remark = _("Password has been already used. Choose another.");
    if (retval == PAM_ABORT) {
      pam_syslog(pamh, LOG_ERR, "can't open %s file to check old passwords",
                                        OLD_PASSWORDS_FILE);
      return retval;
    }
  }
}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: giulio.vcf
Type: text/x-vcard
Size: 256 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-xfce-devel/attachments/20140124/942ef888/attachment-0001.vcf>

More information about the Pkg-xfce-devel mailing list