Bug 1694771

Summary: pam_get_authtok_verify() in libpam triggers extra password prompts
Product: Red Hat Enterprise Linux 7 Reporter: Julio Entrena Perez <jentrena>
Component: pamAssignee: Tomas Mraz <tmraz>
Status: CLOSED ERRATA QA Contact: Dalibor Pospíšil <dapospis>
Severity: high Docs Contact:
Priority: high    
Version: 7.6CC: dapospis, ssorce
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pam-1.1.8-23.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1694772 (view as bug list) Environment:
Last Closed: 2020-03-31 19:10:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1694772, 1711916    

Description Julio Entrena Perez 2019-04-01 15:27:41 UTC 
Description of problem:
Configuring pam_pwhistory on top of the default stack results in an extra, third password prompt when users change their passwords.

Version-Release number of selected component (if applicable):
pam-1.1.8-22.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Create /etc/pam.d/system-auth-local with the following contents:

auth        include       system-auth-ac

account     include       system-auth-ac

password    requisite     pam_pwhistory.so try_first_pass remember=6 use_authok
password    include       system-auth-ac

session     include       system-auth-ac

2. Modify /etc/pam.d/system-auth softlink to point to above system-auth-local

3. Edit file /etc/pam.d/system-auth-ac and add option "use_authtok" to pam_pwquality.so

4. As a local user, try changing the password and use a complex enough and not previously used password:
[bob@rhel7 ~]$ passwd
Changing password for user bob.
Changing password for bob.
(current) UNIX password:

Actual results:

New password:
Retype new password:
Retype new password:
passwd: all authentication tokens updated successfully.
[bob@rhel7 ~]$

Three password prompts are issued.

Expected results:

New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[bob@rhel7 ~]$

Two password prompts are issued.

Additional info:
Comment 6 Simo Sorce 2019-06-21 20:59:54 UTC 
Adding to RPL tracker
Comment 11 errata-xmlrpc 2020-03-31 19:10:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1005