Learn more about these different git repos.
Other Git URLs
The PAM_PRELIM_CHECK in pam_sss does not verify the old password.
If pam_sm_chauthtok() is called in pam_sss with the flag PAM_PRELIM_CHECK, it will not check the old password of an user, and it even does not check whether the user's password is managed by the sssd. This is very bad as it completely breaks the expectations of other modules in the normally configured stack. Most probably it is not a security problem as the other modules will not change user passwords without having obtained the correct old password, however it makes the behavior of passwd command very confusing to the user.
Fields changed
milestone: NEEDS_TRIAGE => SSSD 1.0 priority: critical => blocker
Fixed by 23dc20c
fixedin: => 1.0.0 proposed: => resolution: => fixed status: new => closed tests: 0 => 1
Please add steps to reproduce, so this can be verified. Thx.
With this patch the current password is checked before the new password is requested. Before the current and the new password ware requested and you got an error when the current password was wrong.
Old behaviour: -> Password: ... -> New Password: ... -> Reenter new password: ... <- ok, or error if password was wrong or password change failed
New behaviour: -> Password: ... <- error if password was wrong -> New Password: ... -> Reenter new password: ... <- ok, or error if password change failed
HTH, Sumit
coverity: => patch: => 0 tests: 1 => 0 upgrade: => 0
rhbz: => 0
Metadata Update from @tmraz: - Issue assigned to sbose - Issue set to the milestone: SSSD 1.0
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/1368
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Log in to comment on this ticket.