[Pkg-xfce-devel] Bug#735670: Bug#735670: lightdm ask ldap administrator password when changing a password expired

Yves-Alexis Perez corsac at debian.org
Mon Jan 27 19:55:05 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On Mon, Jan 27, 2014 at 07:41:46PM +0100, Giulio Turetta wrote:
> Hello,
> 
> Il 24/01/2014 16:46, Yves-Alexis Perez ha scritto:
> > That's why I think PAM people might have more clue than me…
> 
> I wrote to Steve Langasek (pam DM), I briefly described the problem and
> asked for informations.
> 
> Steve about the man page:
> > Well, this information from the manpage authoritatively describes how the
> > flag is meant to be used: if pam_chauthtok() is being called to request
> > changing expired tokens, the flag is expected to be passed.

That's not what it says:

PAM_CHANGE_EXPIRED_AUTHTOK
     This argument indicates to the modules that the users
     authentication token (password) should only be changed if it has
     expired. If this argument is not passed, the application requires
     that all authentication tokens are to be changed.

I'm not a native speaker, but I parse as “if it's passed, the password
won't be changed if it has expired” and “if it's not passed, all the
authentication tokens should be changed”. Nothing relevant to the
superuser is given here, and nothing says flag must be passed in order
to change expired password.

So maybe it should be rephrased to more precisely describe what it does?
> 
> Steve about the missing flag in lightdm:
> > However, lightdm definitely should be passing PAM_CHANGE_EXPIRED_AUTHTOK
> > whenever it calls pam_chauthtok(), because lightdm doesn't have any
> > interface for letting the user /request/ a change of their password.

Well, I might miss some context, but again there's no reference to
that in the manpage.

I'll push that upstream (well, actually I hope I'm doing this right now
with the launchpad CC:)

> 
> About pam_unix - which is more important because it's the default pam
> module - to be sure that I didn't messed up anything I tried with a
> clean Wheezy installation.
> I confirm that, due to the missing flag in lightdm, anyone can change
> his expired password by lightdm bypassing the password policies (like
> root does).

I have to admit I'm still puzzled with that, since nothing mentions that
in the manpage (but the that might also just be that the manpage doesn't
know how every module can handle those flags, actually).

Regards,
- -- 
Yves-Alexis Perez
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQEcBAEBCgAGBQJS5rmUAAoJEG3bU/KmdcClHMsH/RU0i/U0sZI27oI36LO2fvIk
vDWZsU93zQnpmNsFz6u49ISr33jkYqEo8exOXVaFodqhov+LPAxlk3GwEhtfYevc
ZhkCcqpy/vRRYEKUrrnY44l4K38mPefhJD3FfPv6ivhsOYjXggoC8GUY3HB+aXeN
m1TCFWXyIHQPAfonNHaPDeSNL3u9qTKFCThenUzr5OfCksOEg4V4gDJVNPffOaeY
lKg1pL/ngYWnuQz2Y1qr4/Zpymh00Zurd60cNib5lYU7YRJlXFP4fbRbI3/oAs7W
qSmJ4qCqc2YCXtKLJ2VDmVKCZj6WMvrNkkwT/ymE8gdmvub/wzzUBI0njOeeqI4=
=+WI5
-----END PGP SIGNATURE-----

More information about the Pkg-xfce-devel mailing list