Desktop client doesn't handle expired password prompt

ThinLinc
1

If a Linux user’s password is expired (with passwd -e) trying to log in with the desktop client fails.

Logging in with the correct password (server 4.12.1) shows a dialog saying “You are required to change your password immediately (administrator enforced)” which must be the challenge from PAM, but subsequent challenges are not shown. Instead the error “ThinLinc login failed (The SSH connection succeeded, but the ThinLinc server connection failed. Perhaps this server doesn’t run a ThinLinc server?)” is shown. There’s no useful feedback about where exactly this fails in the journal nor vsmserver/vsmagent logs but I suppose the challenge is just rejected when the dialog is closed and then the session is closed before the connection is established.

The web access client handles this correctly, by contrast: after entering the old username and password, the same PAM challenge is shown, but it’s followed by the subsequent challenges which ask for and accept the new password. (This is mentioned as being fixed in 5028 – Web Access authentication does not handle expired password pam prompts (cendio.com).)

Is there a way to get the same behaviour as the web access client on the desktop client?

2

Hello @astroowen

What Distribution/version is this ThinLinc 4.12.1 server running on?

Kind regards,
Martin

3

That server runs on Ubuntu 23.04, though I have also encountered this on SL 7 servers.

4

Sorry for sidetracking a bit here, but, are you really running ThinLinc 4.12.1? That version of ThinLinc requires python2, and Ubuntu 23.04 has no Python2?

Regards,
Martin

5

For ThinLinc (native) client to pick up these prompts from PAM, you’d need to set KbdInteractiveAuthentication yes in your sshd configuration.

Kind regards,
Martin

6

I set that option to yes (and verified it was set, and restarted sshd) with the same result: the client shows the first “you are required to change your password immediately” prompt but no further prompts.

(/opt/thinlinc/etc/thinlinc-release and the web access client, both report it’s ThinLinc 4.12.1… the OS was upgraded from an older Ubuntu but it still has python2 on it.)

7

Ok.

Could you share the tlclient.log from when this is happening, and also the output of
sudo sshd -T | grep kbd

Btw, 4.12.1 will be out of support really soon, 2024-02-05.

Regards,
Martin

8

I’d already done sshd -T. Here is my local tlclient.log (lightly redacted):

2024-02-02T13:13:24: Log file created for ThinLinc client running on process 3664
2024-02-02T13:13:24: ThinLinc client release 4.15.0 build 3258
2024-02-02T13:13:37: SSH command: "C:\Program Files\ThinLinc Client\ssh.exe" -N -o GlobalKnownHostsFile=nul -o UserKnownHostsFile=nul -o UpdateHostKeys=yes -o PasswordAuthentication=no -o ChallengeResponseAuthentication=no -o KbdInteractiveAuthentication=no -o IdentityFile=\"C:\Users\user\.ssh\id_rsa\" -o CheckHostIP=no -o NumberOfPasswordPrompts=3 -o HostKeyAlgorithms=<ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-ed25519,ecdsa-sha2-nistp256 user@host -p 22 thinlinc-login master
2024-02-02T13:13:37: ssh[E]: CONFIRM HOST KEY: 
2024-02-02T13:13:37: Host key previously known.
2024-02-02T13:13:37: ssh[E]: NEXT AUTHMETHOD: none
2024-02-02T13:13:37: ssh[E]: AUTH FAILURE
2024-02-02T13:13:37: ssh[E]: NEXT AUTHMETHOD: publickey
2024-02-02T13:13:37: ssh[E]: BANNER: You are required to change your password immediately (administrator enforced).\n
2024-02-02T13:13:39: ssh[E]: AUTH SUCCESS
2024-02-02T13:13:39: ssh[E]: CONNECTED
2024-02-02T13:13:39: ssh[E]: UPDATE HOST KEYS: 3 host ip 22
2024-02-02T13:13:39: Updating host keys for host.
2024-02-02T13:13:39: ssh[E]: WARNING: Your password has expired.
2024-02-02T13:13:39: ssh[E]: Password change required but no TTY available.
2024-02-02T13:13:39: ssh[E]: 
2024-02-02T13:13:39: ssh[E]: COMMAND_EXITSTATUS: 1
2024-02-02T13:13:39: WinProcess: Process 6020 (ssh.exe) did not exit in a timely manner. Forcing termination...
2024-02-02T13:13:45: Cannot find monitor for entry: 
2024-02-02T13:13:57: SSH command: "C:\Program Files\ThinLinc Client\ssh.exe" -N -o GlobalKnownHostsFile=nul -o UserKnownHostsFile=nul -o UpdateHostKeys=yes -o PubkeyAuthentication=no -o CheckHostIP=no -o NumberOfPasswordPrompts=1 -o HostKeyAlgorithms=<ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-ed25519,ecdsa-sha2-nistp256 user@host -p 22 thinlinc-login master
2024-02-02T13:13:57: ssh[E]: CONFIRM HOST KEY:
2024-02-02T13:13:57: Host key previously known.
2024-02-02T13:13:57: ssh[E]: NEXT AUTHMETHOD: none
2024-02-02T13:13:57: ssh[E]: AUTH FAILURE
2024-02-02T13:13:57: ssh[E]: NEXT AUTHMETHOD: keyboard-interactive
2024-02-02T13:13:57: ssh[E]: SSH_PROMPT:(user@host) Password: 
2024-02-02T13:13:58: ssh[E]: SSH_PROMPT:(user@host) You are required to change your password immediately (administrator enforced).Changing password for user.Current password: 
2024-02-02T13:23:12: ssh[E]: SSH_PROMPT:(user@host) New password: 
2024-02-02T13:23:26: ssh[E]: SSH_PROMPT:(user@host) Retype new password: 
2024-02-02T13:23:27: ssh[E]: AUTH SUCCESS
2024-02-02T13:23:27: ssh[E]: CONNECTED
...

When checking the tlclient.log file from the last session, I immediately noticed the -o ChallengeResponseAuthentication=no -o KbdInteractiveAuthentication=no in the SSH command, so I tried again once with my private key and once with my password. (I had tried password auth already but not since setting KbdInteractiveAuthentication yes on the server.) You can see that those options aren’t present in the command where I used password auth, and sure enough the client delivered the further prompts and let me change my password!

So thanks for pointing me in the right direction - KbdInteractiveAuthentication yes needs to be allowed on both server and client.

Do you expect that it will be possible to show the expired password prompt when logging in with a private key, or is it necessary for the client to set -o KbdInteractiveAuthentication=no in the private key auth case? Or perhaps to give a more informative error (for example telling the user to try logging in with their password if it exists)?

9

Hi,

For changing password, the user need using password authentication, which will enable Keyboard-interactive. This is not possible to change with the ThinLinc client if using some other method of authenticating.

I’m not aware of an easy way of notifying the user if their password has expired when they are using Publick Key authentication.

Kind regards,
Martin