lightdm ask ldap administrator password when changing an expired password

Hi, I confirm this issue (also in trunk).

It's apparently due to an "improper" use of flags in pam_chauthtok call (session-child.c:337).

Because lightdm calls pam_chauthtok after a positive check on PAM_NEW_AUTHTOK_REQD (from man page "The user account is valid but their authentication token is expired") it should pass the PAM_CHANGE_EXPIRED_AUTHTOK flag (from man page "This argument indicates to the modules that the users authentication token (password) should only be changed if it has expired").
gdm3 uses the flag correctly (gdm-session-worker.c:1291).

Without the flag "the application requires that all authentication tokens are to be changed" (pam man) so you need to provide the LDAP admin credentials.

To solve simply change the line about chauthok in session-child.c (line 291 for lightdm-1.2.2 of wheezy) from

authentication_result = pam_chauthtok (pam_handle, 0 );

to

authentication_result = pam_chauthtok (pam_handle, PAM_CHANGE_EXPIRED_AUTHTOK );

If you want to patch the Debian Wheezy package:
1) download lightdm debian source package: apt-get source lightdm
2) go to the source folder lightdm-1.2.2/src and edit session-child.c as suggested
3) step-back to the lightdm-1.2.2 folder and run dpkg-buildpackage -rfakeroot -uc -b (dpkg-buildpackage may require some packages to proceed, it lists the required packages, install these with apt-get install <package-list>)
4) if dpkg-buildpackage completes without errors you have your lightdm_1.2.2-4_i386.deb (step-back to the initial folder)
5) stop lightdm (invoke-rc.d lightdm stop) and remove it (apt-get remove lightdm)
6) install your lightdm package (dpkg -i lightdm_1.2.2-4_i386.deb) and start it (invoke-rc.d lightdm start)

That should be fixed because as it is no one can use lightdm with ldap when a periodic password change is required.

Please note that this bug causes other problems that affect also the default configuration (pam_unix).
For example on pam_unix the missing flag (PAM_CHANGE_EXPIRED_AUTHTOK) causes the setting of another pam flag UNIX__IAMROOT [1] which cause other unexpected behaviours [2].

You can verify this on Wheezy:
1) install lightdm
2) create a new test user (call it "giulio", set password "giulio")
# adduser giulio
3) login with giulio and try to change the account password
giulio$ passwd
try to use the password "t", it fails because it's too short
try to use the password "turetta", it fails because it's too simple
password change succeeds only with an (almost) secret password like "tuREtt4"
3) now expire giulio's password
# chage -d 0 giulio
4) try to login by lightdm, current password is "tuREtt4"
5) login succeeds but you will be asked to insert a new password, insert "t"
6) giulio's password is now "t"! Ouch!!!!
7) now, expire the password again and try to change it to "a" by a login with gdm3 (ssh, console, ...): the right policies will be enforced

Note, about pam_unix, that this bug also breaks the "remember" pam_unix policy.

I think that this bug probably impacts most of the pam modules and so it must be considered an important security issue (security policies are not enforced).

I'm performing further checks...

[1] from Wheezy pam source: /pam-1.1.3/modules/pam_unix/support.c:68
if (getuid() == 0 && !(flags & PAM_CHANGE_EXPIRED_AUTHTOK)) {
  D(("IAMROOT"));
  set(UNIX__IAMROOT, ctrl);
}

[2] from Wheezy pam source: /pam-1.1.3/modules/pam_unix/pam_unix_passwd.c:491
if (off(UNIX__IAMROOT, ctrl)) {
  if (strlen(pass_new) < pass_min_len)
    remark = _("You must choose a longer password");
  D(("length check [%s]", remark));
  if (on(UNIX_REMEMBER_PASSWD, ctrl)) {
    if ((retval = check_old_password(user, pass_new)) == PAM_AUTHTOK_ERR)
      remark = _("Password has been already used. Choose another.");
    if (retval == PAM_ABORT) {
      pam_syslog(pamh, LOG_ERR, "can't open %s file to check old passwords",
                                        OLD_PASSWORDS_FILE);
      return retval;
    }
  }
}

Fix committed into lp:lightdm at revision None, scheduled for release in lightdm, milestone Unknown

Marking as public as the change was released into Debian, in LightDM releases and is in public branches.

The attachment "patch file for Wheezy" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

This bug was fixed in the package lightdm - 1.9.7-0ubuntu1

---------------
lightdm (1.9.7-0ubuntu1) trusty; urgency=medium

  * New upstream release:
    - Correctly invoke PAM to change authentication token. (LP: #1270118)
    - Make xdg-seat a core property of a seat and always pass it to X servers.
    - Qt bindings: properly hand over prompt and message type.
    - Add warning flags where they are missing and fix the resulting warnings.
 -- Robert Ancell <email address hidden> Fri, 07 Feb 2014 15:40:20 +0000

Hello Gabriel, or anyone else affected,

Accepted lightdm into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/lightdm/1.2.3-0ubuntu2.5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

After installing the patch, It is working for me core correctly (Precise)

This bug was fixed in the package lightdm - 1.2.3-0ubuntu2.5

---------------
lightdm (1.2.3-0ubuntu2.5) precise; urgency=medium

  * debian/patches/08_chauthtok.patch:
    - Correctly invoke PAM to change authentication token (LP: #1270118)
 -- Robert Ancell <email address hidden> Tue, 01 Apr 2014 16:03:51 +1300

The verification of the Stable Release Update for lightdm has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

saucy has seen the end of its life and is no longer receiving any updates. Marking the saucy task for this ticket as "Won't Fix".