Bug 1949070

Summary: 'try_first_pass' option no longer works on some PAM modules in RHEL8
Product: Red Hat Enterprise Linux 8 Reporter: kyoneyama <kyoneyam>
Component: authselectAssignee: Pavel Březina <pbrezina>
Status: CLOSED ERRATA QA Contact: Dan Lavu <dlavu>
Severity: low Docs Contact:
Priority: low    
Version: 8.3CC: dlavu, ipedrosa
Target Milestone: betaKeywords: Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: authselect-1.2.2-3.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-09 19:59:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 1 Pavel Březina 2021-04-21 11:35:36 UTC 
Iker, can you please check if try_first_pass is still supported and if not what was the reason to remove it?
Comment 2 Iker Pedrosa 2021-04-21 13:32:43 UTC 
Even though try_first_pass is mentioned in the pam_unix documentation I don't see any reference to it in the code apart from the arguments table in support.h. Unfortunately, I don't know if this is intentional and upstream is planning to retire or if it's an actual error. I've opened an issue upstream to track this part of the problem: https://github.com/linux-pam/linux-pam/issues/357

As for pam_pwquality, this module comes from another project. I've checked it and there isn't any reference in the documentation for the argument in Fedora 33. In any case, I'm adding Paul to the conversation so that he can comment.
Comment 3 Iker Pedrosa 2021-04-22 07:57:57 UTC 
According to upstream pam_unix behaves as if 'try_first_pass' was always set and the documentation should be improved. So, I think that the reporter is right in that the argument can be removed for pam_unix.

Moreover, I have created a task for pam to improve the documentation: https://bugzilla.redhat.com/show_bug.cgi?id=1952388
Comment 5 Pavel Březina 2021-05-13 08:44:07 UTC 
Upstream ticket:
https://github.com/authselect/authselect/issues/247

Upstream PR:
https://github.com/authselect/authselect/pull/248
Comment 8 Pavel Březina 2021-07-09 11:53:58 UTC 
https://github.com/authselect/authselect/pull/248
Comment 16 errata-xmlrpc 2021-11-09 19:59:51 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (authselect bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:4482