RHBA-2005:062 - Bug Fix Advisory

Topic

Updated pam packages that resolve bugs in pam_unix and pam_timestamp
modules are now available for Red Hat Enterprise Linux.

Description

PAM (Pluggable Authentication Modules) is a system security tool that
allows system administrators to set authentication policies without having
to recompile programs that handle authentication.

The pam_unix module is used for traditional UNIX authentication via
/etc/passwd, /etc/shadow or NIS. The updated package resolves the following
issues:

A passwd command could falsely report a succesfull password change even if
the change didn't succeed due to immutable /etc/shadow file.

A passwd command changed NIS password even if the user was maintained
locally in the /etc/passwd file. Now it changes the local password instead.
For changing the NIS password for such user it is necessary to use the
yppaswd utility.

When logging in to a ssh server with a user with an empty password, it
didn't obey the 'PermitEmptyPasswords no' setting and allowed the user to
log in.

The pam_timestamp module is used for keeping root login access for system
administration applications so the user doesn't have to enter the root
password each time the application is started.

The updated package now checks if the user starting the application has
already logged out of the system after the previous root password entry and
it ensures the user has to enter the root password again in such case.

All users of PAM should upgrade to these updated packages, which resolve
these issues.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

If up2date fails to connect to Red Hat Network due to SSL
Certificate Errors, you need to install a version of the
up2date client with an updated certificate. The latest version of
up2date is available from the Red Hat FTP site and may also be
downloaded directly from the RHN website:

https://rhn.redhat.com/help/latest-up2date.pxt

Affected Products

• Red Hat Enterprise Linux Server 3 x86_64
• Red Hat Enterprise Linux Server 3 ia64
• Red Hat Enterprise Linux Server 3 i386
• Red Hat Enterprise Linux Workstation 3 x86_64
• Red Hat Enterprise Linux Workstation 3 ia64
• Red Hat Enterprise Linux Workstation 3 i386
• Red Hat Enterprise Linux Desktop 3 x86_64
• Red Hat Enterprise Linux Desktop 3 i386
• Red Hat Enterprise Linux for IBM z Systems 3 s390x
• Red Hat Enterprise Linux for IBM z Systems 3 s390
• Red Hat Enterprise Linux for Power, big endian 3 ppc

Fixes

• BZ - 77646 - passwd falsely reports successful change when /etc/shadow is immutable
• BZ - 115309 - NIS password changes are attempted before local user
• BZ - 136855 - Unexpected behavior with PAM, openssh and blank passwords
• BZ - 148986 - recent pam_limits change breaks existing configurations

CVEs

(none)

References

(none)