Users are unable to unlock their screen with xscreensaver when VAS enters disconnected mode (4251083)

Users are unable to unlock their screen with xscreensaver when VAS enters "disconnected mode". You may receive the error mesage "not enough permission to read the password hash cache."

Disconnected mode works by caching user password hashes in a local database. Due to security reasons, only root is allowed access to this database.  

Screensavers typically do not run as root  (xscreensaver process runs as the user-account).  Since the disconnected cache is root owned,  users are unable to use disconnected mode authentication to unlock the screensaver.

WORKAROUND

None

RESOLUTION

Issue fixed in version 3.3.2. The latest version of Vintela Authentication Services can be downloaded at: http://support.quest.com/support_download/Downloads.asp
Version 3.3.2+ includes new functionality that creates a user readable password hash at login. This allows the xscreensaver process to access the hash and the user will be able to login when disconnected.

Additional Information:

These options are enabled by default. See below for more informaton.

enable-nonroot-disconnected-cache = <boolean>
Default value: true

VAS maintains a root readable cache of password hashes to support disconnected authentication (unless explicitly configured not too). Some applications that are required to validate password do not, however, run as root. The most common of such applications are screensaver applications such as xscreensaver. In order for a user to be able to unlock the screen when not connected to the network, VAS caches a hash of the user's password after successful login in a user-readable file.

These user-readable files are located, by default, in /tmp. Only one hash is stored in each file and the file is owned by the user whose password hash it contains. The enabled-nonroot-disconnected-cache option is provided to allow for disabling this feature. If the enable-nonroot-disconnected-cache option is set to false, these user readable hashes will not be created, neither will they be used to validate password in the event that they were created previous to having disabled the feature. An example of how to disable the nonroot disconnected cache can be seen below.

[vas_auth]
enable-nonroot-disconnected-cache = false

nonroot-disconnected-cache-dir = <path definition>
Default value: /tmp

If the nonroot disconnected cache is enabled (which it is by default), the option nonroot-disconnected-cache-dir specifies the directory where the user readable password hash files will be stored.
The directory should be an absolute directory path but it may also include the special %homedir% expansion macro to indicate the user's home directory. The path specified must exist and it must be a directory, if either of these conditions is not met, the default will be used.

Below you will find an example of configuring the user-readable cache location so that it is contained in the user's homedirectory. This might cause some issues if the user were using a network file system (such as NFS).

[vas_auth]
nonroot-disconnected-cache = %homedir%