[opensuse-factory] password behavior too nuts to file a bug - yet
I started to file the following as a bug, but seems like I must be missing something: Summary: passwordless and null password account logins rejected (KDE3 and vttys) Systems: both 12.3 & 13.1M2 on both i586 and x86_64 Comments: To reproduce: 1-install minimal X normally but without creating any regular user(s) 2-set grub cmdline(s) to include 3 parameter 3-set solver.onlyRequires=true in /etc/zypp.conf 4-install minimalist via zypper and set default KDM/KDE (3 and/or 4) 5-create group account (e.g. # groupadd -g 1999 mygroup) 6-create user account (e.g. # useradd -g 1999 -u 1999 myaccount) 7a-delete password (e.g. # passwd -d myaccount), or 7b-set password null (e.g. #passwd myaccount, <ENTER>, <ENTER>) 8-attempt to login with new user account (hostname login: myaccount)(in KDM or vtty) Actual results: 1a-(KDE) Login failed 1b-(vtty) Login incorrect 2-(vtty) login prompt refreshes Expected results: 1-(vtty) Last login XXX XXX ## ##:"##:## on ttyX 2-(vtty) Have a lot of fun... 3-(all KDE) login succeeds Comments: 1-applies also to 12.3 (local hosts gx150 & big41) 2-In pre-12.3 openSUSE versions, deleting password failed too, but setting password null worked. In Fedora 19 (as in previous versions) and Mageia 3 (as in previous versions, and Mandriva, and Mandrake), setting password null fails, but deleting password works. 3-IIRC (I need to verify if I can figure out which systems this applies to), 12.2 systems (at least those with sysvinit-init installed) for which users and null password(s) was/were set and which were upgraded to 12.3 via zypper continue to accept logins. 4-On 3 of the 4 installations, once KDM had been started after the users and passwords had been set and at least one reboot, this bug permanently disappeared, remaining only on host gx150 running 13.1 and KDE3. What am I missing? The gx150 13.1M2 system has krb5-1.11.3-2.1, pam-1.1.6-8.1 and xauth-1.0.7-5.2, and also repositories/KDE:/KDE3/openSUSE_Factory enabled. -- "The wise are known for their understanding, and pleasant words are persuasive." Proverbs 16:21 (New Living Translation) Team OS/2 ** Reg. Linux User #211409 ** a11y rocks! Felix Miata *** http://fm.no-ip.com/ -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Sat, 6 Jul 2013 22:52, Felix Miata
I started to file the following as a bug, but seems like I must be missing something:
Summary: passwordless and null password account logins rejected (KDE3 and vttys)
Systems: both 12.3 & 13.1M2 on both i586 and x86_64
Comments: To reproduce: 1-install minimal X normally but without creating any regular user(s) 2-set grub cmdline(s) to include 3 parameter 3-set solver.onlyRequires=true in /etc/zypp.conf 4-install minimalist via zypper and set default KDM/KDE (3 and/or 4) 5-create group account (e.g. # groupadd -g 1999 mygroup) 6-create user account (e.g. # useradd -g 1999 -u 1999 myaccount) 7a-delete password (e.g. # passwd -d myaccount), or 7b-set password null (e.g. #passwd myaccount, <ENTER>, <ENTER>) 8-attempt to login with new user account (hostname login: myaccount)(in KDM or vtty)
Actual results: 1a-(KDE) Login failed 1b-(vtty) Login incorrect 2-(vtty) login prompt refreshes
Expected results: 1-(vtty) Last login XXX XXX ## ##:"##:## on ttyX 2-(vtty) Have a lot of fun... 3-(all KDE) login succeeds [snip]
Intersting to know would be: 1- create testuser with pw (and $HOME dir) 2- login testuser with pw 3- logout testuser 4- as root set [null] passw for testuser 5- try login as testuser if login succeeds, look into the auth path for first-logins and what's different beyond setting up $HOME, otherwise the trouble lies in the main auth path, IMHO one or more of the SUSE pam-patches should be rebased or trown out. Missing $HOME dir is a known trouble cause (since before pam), pam checks existance and can deny login for missing $HOME, pam-config decides. -Yamaban. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 2013-07-06 23:10 (GMT+0200) Yamaban composed:
Missing $HOME dir is a known trouble cause (since before pam), pam checks existance and can deny login for missing $HOME, pam-config decides.
Where is "pam-config"? Are you referring to /etc/pam.d/? These are multiboot systems with shared home. I have a script used for creating users matching the dirs in the home partition after new installations. Except, matches have been presumed. I recently modified script to add logins matching 3 added Linux STB hosts, but on this system at least forgot about creating any new homedirs to match, as I had not had occasion to attempt to login using any of them. Nevertheless I created those dirs with proper o.g, then tried again the logins, but got no farther than before. On this 13.1M2 installation at least, all types of passwordless logins remain failures.
Intersting to know would be: 1- create testuser with pw (and $HOME dir)
check
2- login testuser with pw
success
3- logout testuser
check
4- as root set [null] passw for testuser
check
5- try login as testuser
failure
if login succeeds, look into the auth path for first-logins and what's different beyond setting up $HOME,
No idea what you're referring to here.
otherwise the trouble lies in the main auth path,
or here. :-(
IMHO one or more of the SUSE pam-patches should be rebased or trown out.
. Why is traditional openSUSE nullpass working but -d not working a different paradigm from Fedora & Mageia/Mandriva nullpass not working but -d working? -d is simpler to implement each time, and does not require the second <ENTER> after providing login name at prompt. -- "The wise are known for their understanding, and pleasant words are persuasive." Proverbs 16:21 (New Living Translation) Team OS/2 ** Reg. Linux User #211409 ** a11y rocks! Felix Miata *** http://fm.no-ip.com/ -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Sun, 7 Jul 2013 00:46, Felix Miata
On 2013-07-06 23:10 (GMT+0200) Yamaban composed:
Missing $HOME dir is a known trouble cause (since before pam), pam checks existance and can deny login for missing $HOME, pam-config decides.
Where is "pam-config"? Are you referring to /etc/pam.d/?
Any config option (even ./configure during compile) that can change this behavior. Last time I needed to change that behavior was on RHEL3 and there it was in /etc/pam.d/* [snip]
if login succeeds, look into the auth path for first-logins and what's different beyond setting up $HOME,
No idea what you're referring to here.
in the beginning of pam, first-time logins took another code-path during auth, added checks ($HOME, passwd age, ...) where done. This could have been be moved into normal codepath since then.
Why is traditional openSUSE nullpass working but -d not working a different paradigm from Fedora & Mageia/Mandriva nullpass not working but -d working? -d is simpler to implement each time, and does not require the second <ENTER> after providing login name at prompt.
On VAX and older solaris (mid 90ies) the '-d' option replaced the passwd-hash with a simple 'x' and thus disabled login for this account. Now, looking at the man-page off passwd it should set the passwd-hash to '' [empty], but what does "passwd $USER <return>,<return>" then different? setting a hash of [empty] perhaps? Added info: the "old" passwd was replaced with the one from the shadow-package, that may have added some behavior change. Have you looked at the content of /etc/login.defs between the different Distros yet? And the content of /etc/pam.d/* needs a diploma to get through. But of interrest here is esp. the diff between 'newusers' and 'login', that could be some of the cause. Different distro, different config during compile, different config on system. In the beginning Mandrake, later Mandriva, now Mageia, have taken the Fedora source-rpms changed some specs and did a rebuild. Thus Fedora and Mageia are much nearer in behavior than Fedora and openSUSE for example. -Yamaban. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On one 12.3 system, KDM4.10.5 is accepting root login without typing a password, while rejecting other users, since null password and -d creation is failing. -- "The wise are known for their understanding, and pleasant words are persuasive." Proverbs 16:21 (New Living Translation) Team OS/2 ** Reg. Linux User #211409 ** a11y rocks! Felix Miata *** http://fm.no-ip.com/ -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (2)
-
Felix Miata
-
Yamaban