diff options
| author | Joseph Reynolds <joseph-reynolds@charter.net> | 2019-12-03 08:11:47 +0300 |
|---|---|---|
| committer | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2019-12-03 18:11:17 +0300 |
| commit | a64c49f8082587bed0e106a0dcf00ff0b014535f (patch) | |
| tree | 06c8735af41d84438d48c470f36fc5b46301ff07 /meta-phosphor/recipes-extended/pam | |
| parent | 278ec1393025b4fd4efff35cde6e045c5f80e6e5 (diff) | |
| download | openbmc-a64c49f8082587bed0e106a0dcf00ff0b014535f.tar.xz | |
PAM config: move pam_cracklib to first position
This fixes a bug where Linux-PAM asks for the new password three times
when changing the password. With this fix, PAM asks for the new password
and then only once more to confirm it - two times total.
This bug applies to the `passwd` command, to the expired password dialog
when signing into the console using an account which has an expired
password, and to other similar use of the PAM conversation function such
as changing the password during SSH login.
This does not affect the external behavior of the REST APIs or the webui
because they use automated PAM conversation functions which programmatically
supply the password as many times as it is requested.
The bug happens like this:
When PAM is asked to change a password via pam_chauthtok, it reads the
/etc/pam.d/common-password file and executes the first module, pam_ipmicheck.
This calls pam_get_authtok(pamh, PAM_AUTHTOK, &pass_new, NULL) which prompts
for the new password and then prompts again to verify they are the same.
The next module, pam_cracklib makes two calls: a call to
pam_get_authtok_noverify() followed by a call to pam_get_authtok_verify().
The call to pam_get_authtok_noverify() does NOT prompt because the new
password is already known to PAM, but the call to pam_get_authtok_verify()
unconditionally prompts to validate the password. That's why we see two
prompts to "Retype" the new password. The first is from pam_ipmicheck, and
second is from pam_cracklib/pam_get_authtok_verify.
The fix is to invoke pam_cracklib first and pam_ipmicheck second.
Then pam_cracklib does all if its prompting, and pam_ipmicheck gets what it
needs without prompting. The pam_ipmicheck module only checks the username
and password length, so switching the sequence of these modules should be
harmless.
Tested: yes, via the "passwd USER" command
(From meta-phosphor rev: a71db86192df0b0268db93e7ae6dc4633fce271e)
Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net>
Change-Id: I044df5731a69e45eca9597a345fa6d1b01041b58
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
Diffstat (limited to 'meta-phosphor/recipes-extended/pam')
| -rw-r--r-- | meta-phosphor/recipes-extended/pam/libpam/pam.d/common-password | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/meta-phosphor/recipes-extended/pam/libpam/pam.d/common-password b/meta-phosphor/recipes-extended/pam/libpam/pam.d/common-password index cf6a62a2c2..ef706f3080 100644 --- a/meta-phosphor/recipes-extended/pam/libpam/pam.d/common-password +++ b/meta-phosphor/recipes-extended/pam/libpam/pam.d/common-password @@ -16,8 +16,8 @@ # See the pam_unix manpage for other options. # here are the per-package modules (the "Primary" block) -password [success=ok default=die] pam_ipmicheck.so spec_grp_name=ipmi -password [success=ok default=die] pam_cracklib.so debug enforce_for_root reject_username minlen=8 difok=0 lcredit=0 ocredit=0 dcredit=0 ucredit=0 use_authtok +password [success=ok default=die] pam_cracklib.so debug enforce_for_root reject_username minlen=8 difok=0 lcredit=0 ocredit=0 dcredit=0 ucredit=0 +password [success=ok default=die] pam_ipmicheck.so spec_grp_name=ipmi use_authtok password [success=ok ignore=ignore default=die] pam_pwhistory.so debug enforce_for_root remember=0 use_authtok password [success=ok default=die] pam_unix.so sha512 use_authtok password [success=1 default=die] pam_ipmisave.so spec_grp_name=ipmi spec_pass_file=/etc/ipmi_pass key_file=/etc/key_file |