Bug 811168

Summary: fix pam_get_authtok_verify() to respect the authtok_type= option
Product: Red Hat Enterprise Linux 6 Reporter: Miroslav Vadkerti <mvadkert>
Component: pamAssignee: Tomas Mraz <tmraz>
Status: CLOSED ERRATA QA Contact: Dalibor Pospíšil <dapospis>
Severity: low Docs Contact:
Priority: low    
Version: 6.3CC: dapospis, dspurek
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pam-1.1.1-12.el6 Doc Type: Bug Fix
Doc Text:
Cause: The PAM_AUTHTOK_TYPE PAM item was not properly saved in the pam_get_authtok_verify() function. Consequence: The authentication token type as specified with authtok_type option of pam_cracklib module was not respected in the 'Retype new password' message. Fix: pam_get_authtok_verify() function was fixed to properly save the PAM_AUTHTOK_TYPE item. Result: The authentication token type as specified with authtok_type option of pam_cracklib module is now respected in the 'Retype new password' message.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-21 10:36:51 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Miroslav Vadkerti 2012-04-10 10:26:23 UTC 
Description of problem:
When using authtok_type parameter for pam_cracklib module the given string isn't shown at retype prompt:

# passwd pamtest6209
Changing password for user pamtest6209.
New PAMTEST password: 
Retype new password: 
passwd: all authentication tokens updated successfully.

According to the man page:
authtok_type=XXX
The default action is for the module to use the following prompts when requesting passwords: "New UNIX password: " and "Retype UNIX password: ". The example word UNIX can be replaced with this option, by default it is empty.

Version-Release number of selected component (if applicable):
pam-1.1.1-10.el6_2.1

How reproducible:
100%

Steps to Reproduce:
1. Set authtok_type for pam:
password required pam_cracklib.so authtok_type=PAMTEST
2. useradd test
3. passwd test
  
Actual results:
functionality <-> man page inconsistency

Expected results:
Man page correct, or string shown also at retype prompt

Additional info:
Not a regression
Comment 1 Tomas Mraz 2012-04-10 13:40:26 UTC 
This depends on the following modules in the PAM stack. If they used the pam_get_authtok() function, it would work. Unfortunately pam_unix doesn't.

Basically this is request to modify pam_unix to use pam_get_authtok() function to obtain the password.
Comment 3 Tomas Mraz 2012-08-09 10:30:38 UTC 
I was wrong in comment #1 - this is actually bug in pam_get_authtok_verify().
Comment 8 errata-xmlrpc 2013-02-21 10:36:51 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0521.html