pam: Do not prevent root from changing auth token #7761
Conversation
|
Hi, typically there is a different semantic if the password change is called as a user or as root. If it is called as s user the semantic is that the password will be changed after the user has authenticated themself by giving the current password of the account for which the password should be changed (typically the account of the user itself) and then the new password. If it is called as root the semantic is a password reset, i.e. no additional authentication is required, being root is sufficient, and the password of any user can be set to a new one. SSSD's support for the latter is quite limited because for the common use cases, users coming from remote sources like LDAP and actual authentication happens remote as well, e.g. with Kerberos or LDAP, SSSD does not have the privileges on the remote side to change the password. That's why this use case is rejected already in the PAM module. bye, |
|
I don't quite get it why it has be dependent on a user UID. The password change happens on the domain controller side, which doesn't really care what local user's credentials are. If changing a password requires an authentication, the controller would ask client to authenticate, be it root or not. Anyways, if this change can't be accepted as it is, maybe we can make this behavior optional based on |
In my workflow I use pam_sss to change passwords of an AD domain users. It works fine when user changes his password himself, but it doesn't work I do the same with, for example,
pamtesterprogram running as root.The history of this
getuid() == 0check traces down to 15 years ago and it still doesn't give a clear rationale.The proposed patch fixes the problem for me.