Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1688415 - GDM allows login of user with expired password [RHEL 7.7]
Summary: GDM allows login of user with expired password [RHEL 7.7]
Status: NEW
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: gdm
Version: 7.6
Hardware: x86_64
OS: Linux
Target Milestone: rc
: ---
Assignee: Ray Strode [halfline]
QA Contact: Desktop QE
Depends On:
Blocks: 1688416
TreeView+ depends on / blocked
Reported: 2019-03-13 17:14 UTC by Paul Gozart
Modified: 2019-03-29 06:55 UTC (History)
0 users

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1688416 (view as bug list)
Last Closed:
Target Upstream Version:

Attachments (Terms of Use)

Description Paul Gozart 2019-03-13 17:14:13 UTC
Description of problem:

A user with an expired password can skip the change password process by entering an incorrect password when GDM presents the first step ("current UNIX password") of the change password procedure.  The user is simply admitted into the system and presented a notification saying, "Your password is expired. Please update it."  A user with an expired password should be forced to change it.

Version-Release number of selected component (if applicable):

Reproducible at least in RHEL 7.6 and RHEL 8 Beta

How reproducible:


Steps to Reproduce:

1. Expire regular user's password, for example `chage -d0 paul`
2. Lock the screen
3. Unlock the screen
4. Authenticate with expired password
5. You are now presented with the change password procedure. 
6. Enter incorrect password at the '(current) UNIX password' prompt
7. You are granted access to the system without changing the password and a notification is displayed saying, "Your password is expired. Please update it."

Actual results:

User is allowed access to the desktop

Expected results:

The user should be forced to change an expired password

Additional info:

Note You need to log in before you can comment on or make changes to this bug.