Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Bug#584659: libpam-runtime: unix pam-auth-update password rule fail for local users

87 views
Skip to first unread message

Petter Reinholdtsen

unread,
Jun 5, 2010, 7:10:02 AM6/5/10
to

Package: libpam-runtime
Version: 1.1.1-3

When installing a pam module with priority higher than unix (for
example libpam-sss), the generate password rule for pam do not work.
This is the pam configuration in question:

password sufficient pam_sss.so
password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
password requisite pam_deny.so
password required pam_permit.so

The problem is the use_authtok argument to pam_unix.so, which forces
the unix module to not ask for a password even if it is missing, in
concert with the fact that some pam modules do not ask for passwords
if the user in question is unknown. I ran into this problem when I
was unable to change the password on the local root user after
configuring libpam-sss version 1.2.0-1. I believe the same is the
case for Kerberos pam modules.

Should the use_authtok argument be removed from
/usr/share/pam-config/unix?

Happy hacking,
--
Petter Reinholdtsen

--
To UNSUBSCRIBE, email to debian-bugs-...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Alexis

unread,
Jan 4, 2023, 4:50:04 PM1/4/23
to
Package: libpam-runtime
Version: 1.5.2-5

Hello,


I use the awesome systemd-homed for users, and classic unix authentication for my system accounts. Thereby :

When I activate "Enable user management by systemd-homed" & "Unix authentication"
 with the help of `pam-auth-update`, I cannot use `passwd` with a system account.


# cat /etc/pam.d/common-password
 password        [success=2 default=ignore]      pam_systemd_home.so  
 password        [success=1 default=ignore]      pam_unix.so obscure use_authtok try_first_pass yescrypt


# passwd villebrequin 

    passwd: Authentication token manipulation error
    passwd: password unchanged

# journalctl -g pam -xe
    passwd[25640]: pam_systemd_home(passwd:chauthtok): Not a user managed by systemd-homed: No home for user villebrequin known

FYI (I don't know if this can help): https://github.com/systemd/systemd/commit/842067e6753d8cad951c83ac62681c539e1b1a07

I have to remove the option use_authtok for it to work!
Could you please reconsider this request?


Thanks in advance

Best regards



Sam Hartman

unread,
Jan 4, 2023, 6:40:05 PM1/4/23
to
>>>>> "Alexis" == Alexis <halleba...@gmx.com> writes:

Alexis> I have to remove the option use_authtok for it to work!
Alexis> Could you please reconsider this request?

I don't think this request ever got considered in the first place.
And I'm still not sure what to do.

The aThere are two situations:

* you have a local password that is also synced to some remote system.

In this situation, use_authtok is really important because you want to
make sure that you use the same password for both systems. Without
that you could for example get an ldap password that is inconsistent
with a local password.

* You have multiple authentication systems only one of which is
responsible for a give user

In this case use_authtok is likely to break all but the first
authentication system.

So, the challenge in closing this bug is we don't have enough
information to know which case we have.
And we probably would need to change libpam-runtime's initial vs
non-initial approach to something else that was more aware of the
combination of modules.

You could also have a mixture, in which case things would be a real
mess:-)
signature.asc
0 new messages