Age | Commit message (Collapse) | Author | Files | Lines |
|
This fixes a bug where Linux-PAM asks for the new password three times
when changing the password. With this fix, PAM asks for the new password
and then only once more to confirm it - two times total.
This bug applies to the `passwd` command, to the expired password dialog
when signing into the console using an account which has an expired
password, and to other similar use of the PAM conversation function such
as changing the password during SSH login.
This does not affect the external behavior of the REST APIs or the webui
because they use automated PAM conversation functions which programmatically
supply the password as many times as it is requested.
The bug happens like this:
When PAM is asked to change a password via pam_chauthtok, it reads the
/etc/pam.d/common-password file and executes the first module, pam_ipmicheck.
This calls pam_get_authtok(pamh, PAM_AUTHTOK, &pass_new, NULL) which prompts
for the new password and then prompts again to verify they are the same.
The next module, pam_cracklib makes two calls: a call to
pam_get_authtok_noverify() followed by a call to pam_get_authtok_verify().
The call to pam_get_authtok_noverify() does NOT prompt because the new
password is already known to PAM, but the call to pam_get_authtok_verify()
unconditionally prompts to validate the password. That's why we see two
prompts to "Retype" the new password. The first is from pam_ipmicheck, and
second is from pam_cracklib/pam_get_authtok_verify.
The fix is to invoke pam_cracklib first and pam_ipmicheck second.
Then pam_cracklib does all if its prompting, and pam_ipmicheck gets what it
needs without prompting. The pam_ipmicheck module only checks the username
and password length, so switching the sequence of these modules should be
harmless.
Tested: yes, via the "passwd USER" command
(From meta-phosphor rev: a71db86192df0b0268db93e7ae6dc4633fce271e)
Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net>
Change-Id: I044df5731a69e45eca9597a345fa6d1b01041b58
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
|
|
pam_unix logs user name when sessions are established, quiet
the same in configuraiton. This is done to avoid logging user name
as logs will be exported as part of debug log dump etc, thereby
compramising sensitive information.
Also disallow nullok login from security point of it.
Tested:
1. Verified that session establishment are not recorded with user
name.
2. Verfieid webui, redfish, ipmi, ssh login works as expected.
(From meta-phosphor rev: 15a293b458ef2f013356f9746c0ac7a20e59c1c1)
Change-Id: Ic0fcdbfd9a5968fa55a27b7d2de379f8ba131cac
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
|
|
Not querying password for invalid user name is security
issue and can be used to determine valid / invalid user names
in the system. Always proceed to password acceptance screen
for invalid user login attempt too. This commit configures
pam_tally2 to ignore unknown user and proceed to do password
check.
Tested:
Verified the same in bmc serial console login with invalid user
name and password was requested, before displaying login incorrect.
Note: dropbear handles this already and hence ssh will not exhibit
this behavior.
(From meta-phosphor rev: 356ec08b989c84d1d034c3ff283a6909658d9435)
Change-Id: I72483d26ad7b7c39068ac33b7387adf2b10a1a27
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
|
|
Default credit for pam-cracklib was used, causing issue
in meeting minlen requirement for new password. i.e. 1 credit
will be applied if the password containts, digits, upper case,
or lower case etc, making minlen to be accepted. "fw6ev9" will
pass pam_cracklib earlier for minlen as password length was 6, +2
credit got substitued for lower case & digits use in the password.
Correcting the same now, by not providing any credit, and so the
minlen of 8 chars in the password must be met.
Tested
1. Tested password 'fw6ev9' fails to set
2. Tested password '0penBmc1' was accepted as it passes 8 character
Note: With this commit, the current default passwd for root user
'0penBmc' will work fine, but the same can't be used as password
during password update.
(From meta-phosphor rev: 0e67cd66f4f530b4ccccb2ab400ba2dabb3c0737)
Change-Id: Ieeebef45a655563ac7779627b1cf38ef6080c046
Signed-off-by: Richard Marian Thomaiyar <richard.marian.thomaiyar@linux.intel.com>
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
|
|
Absence of ldap distro feature will not generate pam_ldap.so because
of which we might see some unwanted error messages regarding the
failure in opening the pam_ldap.so in journalctl incase if pam_ldap
is present in PAM Configuration.
This commit would:
- Leverage '-' option before the 'type' in pam configuration, by which
the PAM library will not log any errors in the syslog if it is not
able to load the module beacause it is missing in the system.By using
this we don't need two pam configuration files for ldap and unix.
- Leverages ignore_unknown_user & ignore_authinfo_unavail options of
pam_ldap.so, which forces the PAM framework to ignore pam_ldap incase
if the user is not present in LDAP server or if the client cannot
connect to LDAP Server.
(From meta-phosphor rev: 2c7efc937785a76e35a06b6807e12765ad40d99d)
Change-Id: Ic1044989ccae4e6e442de9865cf00cea33f75262
Signed-off-by: manojkiraneda <manojkiran.eda@gmail.com>
Signed-off-by: Andrew Geissler <geissonator@yahoo.com>
|
|
Move pam metadata from recipes-core to recipes-extended, to match
oe-core.
(From meta-phosphor rev: 6f75a62ec75deb7ba6efdc5b5c3dda960dda701d)
Change-Id: If8e36b1199f9e70ce27522d915ceaa281caaabc6
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
|