Bug 2179607

Summary:	password prompt is printed twice for local user on authselect sssd profile
Product:	Red Hat Enterprise Linux 8	Reporter:	Sunny Wu <suwu>
Component:	authselect	Assignee:	Pavel Březina <pbrezina>
Status:	VERIFIED ---	QA Contact:	Dan Lavu <dlavu>
Severity:	low	Docs Contact:
Priority:	unspecified
Version:	8.7	CC:	aboscatt, atikhono, dlavu, ksrot
Target Milestone:	rc	Keywords:	Triaged
Target Release:	---
Hardware:	All
OS:	All
Whiteboard:	sync-to-jira
Fixed In Version:	authselect-1.2.6-2.el8	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:
Clones:	2228098 (view as bug list)		Environment:
Last Closed:		Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:
Bug Blocks:	2228098

Description Sunny Wu 2023-03-19 03:30:06 UTC

Description of problem:

On a IdM/AD joined host where authselect sssd profile is selected, when a local user deliberately enters an incorrect password, a second password prompt is printed:

testuser1 is a local user which exist in /etc/passwd.

~~~
[testuser1@host ~]$ id
uid=1002(testuser1) gid=1002(testuser1) groups=1002(testuser1) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

[testuser1@host ~]$ passwd
Changing password for user testuser1.
Current password:            <<<<<===== input incorrect password
Current Password:            <<<<<===== note a different password prompt, capital "P"
passwd: Authentication token manipulation error
~~~

Log message in /var/log/secure suggests that the second password prompt belongs to pam_sss:

~~~
unix_chkpwd[61458]: password check failed for user (testuser1)
passwd[61456]: pam_unix(passwd:chauthtok): authentication failure; logname= uid=1002 euid=0 tty=pts/2 ruser= rhost=  user=testuser1
passwd[61456]: pam_sss(passwd:chauthtok): Authentication failed for user testuser1: 4 (System error)
~~~

~~~
# cat system-auth 
<...>

password    requisite                                    pam_pwquality.so local_users_only
password    sufficient                                   pam_unix.so sha512 shadow nullok use_authtok
password    sufficient                                   pam_sss.so use_authtok
password    required                                     pam_deny.so
~~~

=========

The issue is resolved after adding "pam_localuser" to distinguish local users so that the user will not be evaluated by pam_sss.

~~~
password    requisite                                    pam_pwquality.so local_users_only
password    sufficient                                   pam_unix.so sha512 shadow nullok use_authtok
password    [success=1 default=ignore]                   pam_localuser.so
password    sufficient                                   pam_sss.so use_authtok
password    required                                     pam_deny.so
~~~


Version-Release number of selected component (if applicable):
# rpm -qa | grep authselect
authselect-libs-1.2.5-2.el8_7.x86_64
authselect-compat-1.2.5-2.el8_7.x86_64
authselect-1.2.5-2.el8_7.x86_64


How reproducible:
All the time

Actual results:
Password prompt is printed twice when incorrect password is entered

Expected results:
If incorrect password is entered, password prompt should be printed once and terminate/return failure.

Additional info:

Comment 1 Pavel Březina 2023-04-03 10:30:34 UTC

Thank you, I can reproduce the issue.

Upstream ticket: https://github.com/authselect/authselect/issues/338

Comment 2 Pavel Březina 2023-06-29 12:14:16 UTC

Upstream PR: https://github.com/authselect/authselect/pull/344

Comment 3 Alexey Tikhonov 2023-08-01 12:50:38 UTC

*** Bug 1659100 has been marked as a duplicate of this bug. ***