[Freeipa-users] pam settings for changing password under FreeIPA

Fri Oct 24 13:36:14 UTC 2008

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Simo Sorce wrote:

> This is working because you are doing a password change over ldap and
> not using kerberos.
> 

Ok, that makes sense: presumably when I have matters working I should
comment out the

	password required pam_ldap.so	etc..

stuff in common-password.

> Form the other email I have the impression that your ipa_kpasswd daemon
> has an invalid keytab and cannot successfully authenticate to ldap to
> perform the password change.
> 
> Not sure why that happened.
> 
> You might try to use kadmin.local in this case to create a new secret
> for kpasswd/changepw at REALM and dump it
> in /var/kerberos/krb5kdc/kpasswd.keytab (make sure to copy it on all
> servers).
>

Ok done!

After resetting the secret for kpasswd/changepw at REALM and re-extracting
the keytab the password-changing dialog for an ssh-session to the
Fedora-9 client now goes like this:

Password: ********
Warning: Your password will expire in less than one hour.
Warning: password has expired.
Kerberos 5 Password: ********
Warning: Your password will expire in less than one hour.
New UNIX password: ******
Retype new UNIX password: ******
Last login: Fri Oct 24 14:08:51 2008 from l***.s***.man.ac.uk

So this is a big improvement, but I am still concerned that it may be
too confusing for our user base, in that they would have to enter the
'old' (i.e. expired) password twice  (once at the initial "Password"
prompt and then again after the warnings at the "Kerberos 5 Password"
prompt) before getting to 'New UNIX password' and the actual password
change.

Ideally there would just be the initial prompt and warning and then 'New
UNIX password' etc

Just to reiterate, the Fedora 9 client now has the following in
/etc/pam.d/system-auth:

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password    sufficient    pam_krb5.so use_authtok
password    required      pam_deny.so

and in /etc/ssh/sshd_config it has

PasswordAuthentication no
ChallengeResponseAuthentication yes
GSSAPIAuthentication no
GSSAPICleanupCredentials yes
UsePAM yes

My experience here coincides with that of a previous poster to the list:
password changing will not work at all unless
'ChallengeResponseAuthentication yes'
is in effect.

> You are the second that seem to have stumbled on this problem, so it
> would be nice to know if you did any particular operation right before
> that password change mechanism stopped working ?
> 

Not sure how the keytab could have become invalid: but at one point I
did tear down and reinstall freeipa on both machines, so perhaps some
thing went astray there.

Many thanks for the advice so far,

Regards

[NG]

- --
N.J. Gresham
FLS/IS AIO
Systems Administration and Support

University of Manchester
Faculty of Life Sciences

int: 7759349
ext: 0790-989-3684
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkkBz00ACgkQoqZzfMI0UdmnpgCcCJs5gTfQ1K8r7jQQucg/zU1U
3CEAoIPndhZ5A87wHRypyY0nsCzHLqZQ
=0Cto
-----END PGP SIGNATURE-----