password expiry for a principal

Markus Moeller huaraz at moeller.plus.com
Sat Jan 19 10:14:50 EST 2008


I did some work with Russ' module on OpenSolaris and Solaris 10 release 4 
(which has Kerberos headers and libraries). I noted a small issue (crash of 
pam_krb5 when calling pam_setcred in cache_init_from_cache since for some 
reason the pointer to the old cache is NULL).  There seems to be also a 
problem with retrieving the old token as the module will ask again for the 
current password ( although this is related to using Suns 
pam_authtok_get.so.1 to retrieve tokens/passwords)

My check tool output. (The user mm is setup on win2k3 R2 for authentication 
and ldap authorization)

# ./check_user
==> called pam_start()
  got: `Success' `0'
==> called pam_start()
  got: `Success' `0'
Please enter user name: mm
Password:
==> called pam_authenticate()
  got: `Get new authentication token' `10'
New Password:
Current Kerberos password:
Re-enter new Password:
==> called pam_chauthtok()
  got: `Success' `0'
==> called pam_acct_mgmt()
  got: `Success' `0'
UID : 0
eUID : 0
==> called pam_open_session()   got: `Success' `0'
Segmentation Fault(coredump)


 136 cache_init_from_cache(struct pam_args *args, const char *ccname,
 137                       krb5_ccache old, krb5_ccache *cache)
 138 {
 139     struct context *ctx;
 140     krb5_creds creds;
 141     krb5_cc_cursor cursor;
 142     int pamret;
 143     krb5_error_code status;
 144
 145     memset(&creds, 0, sizeof(creds));
 146     if (args == NULL || args->ctx == NULL || args->ctx->context == 
NULL)
 147         return PAM_SERVICE_ERR;
 148     ctx = args->ctx;
 149     status = krb5_cc_start_seq_get(ctx->context, old, &cursor);
 150     if (status != 0) {


pam.conf extract
#
#
#
check_user auth requisite       pam_authtok_get.so.1
check_user auth sufficient      pam_krb5-3.9.so use_first_pass debug
check_user auth sufficient      pam_krb5-3.9.so realm=SUSE.HOME 
use_first_pass debug
check_user auth required      pam_krb5-3.9.so realm=WIN2003R2.HOME 
use_first_pass debug
check_user auth required      pam_unix_auth.so.1 use_first_pass debug
#
#
# passwd command (explicit because of a different authentication module)
#
passwd  auth sufficient         pam_krb5-3.9.so minimum_uid=200 
minimum_uid=200 debug
passwd  auth sufficient         pam_krb5-3.9.so minimum_uid=200 
minimum_uid=200 realm=SUSE.HOME use_first_pass debug
passwd  auth sufficient         pam_krb5-3.9.so minimum_uid=200 
minimum_uid=200 realm=WIN2003R2.HOME use_first_pass debug
passwd  auth required           pam_passwd_auth.so.1 use_first_pass
#
#
#
other   password required      pam_dhkeys.so.1
other   password requisite      pam_authtok_get.so.1
other   password requisite      pam_authtok_check.so.1
other   password sufficient     pam_krb5-3.9.so minimum_uid=200 
use_first_pass debug
other   password sufficient     pam_krb5-3.9.so minimum_uid=200 
realm=SUSE.HOME use_first_pass debug
other   password sufficient     pam_krb5-3.9.so minimum_uid=200 
realm=WIN2003R2.HOME use_first_pass debug
other   password required      pam_authtok_store.so.1 use_first_pass
.

The passwd works fine with the above config

# passwd mm
Password:
New Password:
Re-enter new Password:

Markus

"Russ Allbery" <rra at stanford.edu> wrote in message 
news:87d4rya4y4.fsf at windlord.stanford.edu...
> Coy Hile <coy.hile at coyhile.com> writes:
>
>> Does your pam_krb5 implmentation support this type of setup?  The stock
>> one that ships with Solaris does not.
>
> Yup, it should prompt the user to change their password.  It just makes
> use of the support inside the Kerberos libraries for doing so, though, so
> that may not work when built against the Solaris Kerberos libraries if
> they don't include that support.  I don't know; I don't use Solaris's
> Kerberos implementation.
>
> -- 
> Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 





More information about the Kerberos mailing list