Bug 2228098

Summary: password prompt is printed twice for local user on authselect sssd profile
Product: Red Hat Enterprise Linux 9 Reporter: Pavel Březina <pbrezina>
Component: authselectAssignee: Pavel Březina <pbrezina>
Status: VERIFIED --- QA Contact: Dan Lavu <dlavu>
Severity: low Docs Contact:
Priority: unspecified    
Version: 9.2CC: aboscatt, dlavu, sgadekar, sssd-qe, suwu
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard: sync-to-jira
Fixed In Version: authselect-1.2.6-2.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2179607 Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2179607    
Bug Blocks:    

Description Pavel Březina 2023-08-01 11:59:00 UTC 
+++ This bug was initially created as a clone of Bug #2179607 +++

Description of problem:

On a IdM/AD joined host where authselect sssd profile is selected, when a local user deliberately enters an incorrect password, a second password prompt is printed:

testuser1 is a local user which exist in /etc/passwd.

~~~
[testuser1@host ~]$ id
uid=1002(testuser1) gid=1002(testuser1) groups=1002(testuser1) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

[testuser1@host ~]$ passwd
Changing password for user testuser1.
Current password:            <<<<<===== input incorrect password
Current Password:            <<<<<===== note a different password prompt, capital "P"
passwd: Authentication token manipulation error
~~~

Log message in /var/log/secure suggests that the second password prompt belongs to pam_sss:

~~~
unix_chkpwd[61458]: password check failed for user (testuser1)
passwd[61456]: pam_unix(passwd:chauthtok): authentication failure; logname= uid=1002 euid=0 tty=pts/2 ruser= rhost=  user=testuser1
passwd[61456]: pam_sss(passwd:chauthtok): Authentication failed for user testuser1: 4 (System error)
~~~

~~~
# cat system-auth 
<...>

password    requisite                                    pam_pwquality.so local_users_only
password    sufficient                                   pam_unix.so sha512 shadow nullok use_authtok
password    sufficient                                   pam_sss.so use_authtok
password    required                                     pam_deny.so
~~~

=========

The issue is resolved after adding "pam_localuser" to distinguish local users so that the user will not be evaluated by pam_sss.

~~~
password    requisite                                    pam_pwquality.so local_users_only
password    sufficient                                   pam_unix.so sha512 shadow nullok use_authtok
password    [success=1 default=ignore]                   pam_localuser.so
password    sufficient                                   pam_sss.so use_authtok
password    required                                     pam_deny.so
~~~


Version-Release number of selected component (if applicable):
# rpm -qa | grep authselect
authselect-libs-1.2.5-2.el8_7.x86_64
authselect-compat-1.2.5-2.el8_7.x86_64
authselect-1.2.5-2.el8_7.x86_64


How reproducible:
All the time

Actual results:
Password prompt is printed twice when incorrect password is entered

Expected results:
If incorrect password is entered, password prompt should be printed once and terminate/return failure.

Additional info:

--- Additional comment from Pavel Březina on 2023-04-03 10:30:34 UTC ---

Thank you, I can reproduce the issue.

Upstream ticket: https://github.com/authselect/authselect/issues/338

--- Additional comment from Pavel Březina on 2023-06-29 12:14:16 UTC ---

Upstream PR: https://github.com/authselect/authselect/pull/344