[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#656296: Samba passwd sync already fixed in SVN

[Mike Gabriel 2013-04-01]
> The cloned issue will be about making PAM password calls redirect the
> user somehow to GOsa².

There are two issues here.  One is to block passoword changes via PAM
from working, to make sure the passwords in LDAP (Kerberos, LDAP, Samba)
do not get out of sync.  The other is to give sensible feedback to users
trying to change password using PAM.

Blocking password changes is fairly easy.  This patch debian-edu-config
will make it impossible to use PAM to change passwords:

Index: share/debian-edu-config/pam-config-krb5
--- share/debian-edu-config/pam-config-krb5     (revisjon 80414)
+++ share/debian-edu-config/pam-config-krb5     (arbeidskopi)
@@ -10,11 +10,6 @@
 Account-Type: Additional
        required                pam_krb5.so minimum_uid=1000
-Password-Type: Primary
-       [success=end default=ignore]    pam_krb5.so minimum_uid=1000 try_first_pass use_authtok
-       [success=end default=ignore]    pam_krb5.so minimum_uid=1000
 Session-Type: Additional
        optional                pam_krb5.so minimum_uid=1000

It is fairly non-intrusive and just remove the password block from our
krb5 pam setup.  I suggest we implement this for Wheezy, to make sure
PAM password changes do not bring passwords out of sync.

To give sensible feedback, I suspect we need to add a PAM module to send
a message to users trying to change passwords.  Something like this
might work, using libpam-python to implement a PAM module to present
this message.

A file /usr/share/debian-edu-config/pam-config-nopwdchange would look
like this:
Name: Block password change using PAM, use Gosa instead.
Default: yes
Priority: 0
Password-Type: Additional
 required pam_python.so /usr/share/debian-edu-config/pam-nopwdchange.py

The file /usr/share/debian-edu-config/pam-nopwdchange.py would look like
#!/usr/bin/env python
# Reject password change, ask people to use the Gosa web interface
# instead.

import sys
import syslog
import pwd

def pam_sm_setcred(pamh, flags, argv):
  return pamh.PAM_SUCCESS

def pam_sm_authenticate(pamh, flags, argv):
  return pamh.PAM_SUCCESS

def pam_sm_acct_mgmt(pamh, flags, argv):
  return pamh.PAM_SUCCESS

def pam_sm_open_session(pamh, flags, argv):
  return pamh.PAM_SUCCESS

def pam_sm_close_session(pamh, flags, argv):
  return pamh.PAM_SUCCESS

def pam_sm_chauthtok(pamh, flags, argv):
  syslog.openlog("pam_edu_nopwdchange", syslog.LOG_PID, syslog.LOG_AUTH)
  syslog.syslog("calling pam_sm_chauthtok()")
  user = pamh.get_user(None)
  userinfo = pwd.getpwnam(user)
  uid = userinfo[2]
  if 1000 <= uid:
    text = "Please visit https://www/gosa to change your password for Debian Edu / Skolelinux. THANKS!"
    msg = pamh.Message(pamh.PAM_TEXT_INFO, text)
    syslog.syslog("rejected password change for user %s" % user)
    return pamh.PAM_SYSTEM_ERR
  return pamh.PAM_SUCCESS

# Test if the code work.  Argument is username to simulate login for.
if __name__ == '__main__':
  syslog.openlog("pam_mklocaluser", syslog.LOG_PID, syslog.LOG_AUTH)
  user = sys.argv[1]
  class pam_handler:
    def get_user(self, arg):
      return user
    def Message(self, tag, str):
      return str
    def conversation(self, msg):
      print "PAM conversation: " + msg
  pamh = pam_handler()
  if pamh.PAM_SUCCESS == pam_sm_chauthtok(pamh, None, None):
    print "pam_sm_chauthtok returned PAM_SUCCESS"
    print "pam_sm_chauthtok returned PAM_SYSTEM_ERR"

We would add cfengine rules similar to the ones currently enabling
edu-krb5 to activate this PAM setup too.

Happy hacking
Petter Reinholdtsen

Reply to: