[Bug 399967] New: pam_krb5 ignores use_authtok
https://bugzilla.novell.com/show_bug.cgi?id=399967 Summary: pam_krb5 ignores use_authtok Product: openSUSE 11.0 Version: RC 1 Platform: x86-64 OS/Version: Linux Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: lpechacek@novell.com QAContact: qa@suse.de Found By: L3 According to the documentation use_authtok should prevent pam_krb5 from asking for password during password change. That does not work. How to reproduce: 1) configure your system for Kerberos authentication using YaST - /etc/pam.d/common-auth now lists pam_unix2 and pam_krb5 2) try to change your password with passwd, enter wrong password 3) passwd spits out a new prompt - "Kerberos 5 Password:" lpechacek@linux-0soo:~> passwd Changing password for lpechacek. Old Password: Kerberos 5 Password: Workaround: Edit /etc/pam.d/common-passwd and replace use_authtok with use_first_pass for pam_krb5. Then it works fine. Impact: The curent behavior breaks the kdepasswd utility from KDE 3.5. The bug affects both Code10 and Code11. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=399967
Robert Vojcik
https://bugzilla.novell.com/show_bug.cgi?id=399967
Jiří Suchomel
https://bugzilla.novell.com/show_bug.cgi?id=399967
User mc@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=399967#c1
Michael Calmer
According to the documentation use_authtok should prevent pam_krb5 from asking for password during password change.
This is wrong. use_authtok tells pam_krb5.so to never prompt for new passwords when changing passwords. ^^^ "new password". But it still will ask for the "old password". So your workaround is the solution. I tested our default kerberos configuration and it worked fine. The default for the old password is "try_first_pass". If you enter a wrong "old password" you will be asked again for the old password. In such a case your example happens. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com