Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-32834

[Cockpit] User gets locked on changing password via Cockpit GUI when user password expires.

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • None
    • cockpit
    • None
    • None
    • None
    • rhel-sst-cockpit
    • ssg_front_door
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None

      Description of problem:
      When password is forced to be expired outside of cockpit web-cosole, and when privileged user is logged out in web-console, on fresh login again the user is prompted to reset the password. Once the password is reset and user attempts to login. 

      However while attempting to esclate privileges by default with password reset i.e. new password, first 3 attempts fails and user is locked. 
      Apr 10 07:16:04 node-0 cockpit-session[12303]: pam_unix(cockpit:chauthtok): password changed for rhuser
      Password check performed 3 times consecutively and failed 3 times.

      Apr 10 07:16:04 node-0 unix_chkpwd[12380]: password check failed for user (rhuser)
      Apr 10 07:16:04 node-0 sudo[12377]: pam_unix(sudo:auth): authentication failure; logname= uid=1002 euid=0 tty= ruser=rhuser rhost= user=rhuser
      Apr 10 07:16:06 node-0 unix_chkpwd[12400]: password check failed for user (rhuser)
      Apr 10 07:16:08 node-0 unix_chkpwd[12413]: password check failed for user (rhuser)
      Apr 10 07:16:08 node-0 sudo[12377]: pam_faillock(sudo:auth): Consecutive login failures for user rhuser account temporarily locked

      User was locked.
      Normal login is allowed to the web-console, but when attempting to escalate the privileges, password is not accepted and user has been locked. 

      With user locked, no other logins were allowed, unless the user is unlocked. 

          # faillock --user rhuser --reset

      Version-Release number of selected component (if applicable):

      cockpit-300.1-1.el8_9.x86_64

      pam-1.3.1-27.el8.x86_64

      How reproducible:
      everytime

      Steps to Reproduce:

      1. Set up the faillock options with deny=3. 

                    https://access.redhat.com/solutions/62949

      2. Login as user which has sudo privileges from web-console. Then escalate privileges 'Turn on administrative access'

      3. Then logout as this user. So that by default user attempts to escalate privileges on next login. 

      4. Expire the user password outside of cockpit

                 # chage -d 0 rhuser 

      5. Login again as rhuser user through web-console, it prompts to reset the password. Current password and new password and retype new password are accepted and user password is changed. 

      6. User is logged in as normal user without sudo, but user is locked as cockpit attempts to escalate privileges in backend but password check fails consecutively 3 times. 

       

      Actual results:
      User is locked as 3 consecutive login attempts by cockpit to escalate privileges using password for rhuser failed. 

       

      Expected results:
      User should be allowed to escalate privileges only with one attempt with updated or new password. User should not be locked. 

       

      Additional info:
      If we set deny=4 or deny=5 in PAM configuration for faillock, then user is not locked and privilege escalation is allowed with new password. 

      However by default first 3 attempts fails and hence user is locked due to PAM configuration. 

      Cockpit should accept newly set password and should not fail 3 consecutive login attempts. 

              Unassigned Unassigned
              rhn-support-ravpatil Ravindra Patil
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: