Improper Authorization in cobbler

### Impact

If PAM is correctly configured and a user account is set to expired, the expired user-account is still able to successfully log into Cobbler in all places (Web UI, CLI & XMLRPC-API).

The same applies to user accounts with passwords set to be expired.

### Patches

There is a patch for the latest Cobbler `3.3.2` available, however a backport will be done for `3.2.x`.

### Workarounds

– Delete expired accounts which are able to access Cobbler via PAM.
– Use `chage -l ` to lock the account. If the account has SSH-Keys attached then remove them completely.

### References

– Originally discovered by @ysf at

### How to test if my Cobbler instance is affected?

The following `pytest` test assumes that your PAM setup is correct. In case the added user is not able to login, this test does not make sense to be executed.

def test_pam_login_with_expired_user():
# Arrange
# create pam testuser
test_username = “expired_user”
test_password = “password”
test_api = CobblerAPI()
subprocess_1 =
[“perl”, “-e”, “‘print crypt(“%s”, “%s”)'” % (test_username, test_password)],
)[“useradd”, “-p”, subprocess_1.stdout, test_username])
# change user to be expired[“chage”, “-E0”, test_username])

# Act
result = pam.authenticate(test_api, test_username, test_password)

# Assert – login should fail
assert not result

### For more information
If you have any questions or comments about this advisory:
* Open an issue in [the Cobbler repository](
* Ask in the [Gitter/Matrix Chat](
* Email us at []( More

Back to Main

Subscribe for the latest news: