Bug 983028
| Summary: | passwd returns "Authentication token manipulation error" when entering wrong current password | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Ron van der Wees <rvdwees> |
| Component: | sssd | Assignee: | Jakub Hrozek <jhrozek> |
| Status: | CLOSED ERRATA | QA Contact: | Kaushik Banerjee <kbanerje> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.4 | CC: | dpal, grajaiya, jgalipea, lslebodn, mkosek, mtessun, nkarandi, pbrezina |
| Target Milestone: | rc | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | sssd-1.9.2-121.el6 | Doc Type: | Bug Fix |
| Doc Text: |
Cause: User changing hist password via passwd mistyped current password.
Consequence: SSSD returned generic error code to passwd which resulted in "Authentication token manipulation error". This message confused user because it looks like a system error.
Fix: When user mistype current password, SSSD prints additional message "Old password not accepted".
Result: The output of password change now suggest that the current password was not accepted.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-11-21 22:20:39 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Ron van der Wees
2013-07-10 10:20:27 UTC
Similar issue when the new password does not match the password policy as configured on the LDAP server: ~~~ $ passwd Changing password for user ldapuser Current Password: New Password: Reenter new Password: Password change failed. Server message: Failed to update password passwd: Authentication token is no longer valid; new one required ~~~ The end user will be unaware of the real reason for the password change reject. As discussed yesterday on IRC and as you noted, the same happens with a local user. The SSSD correctly returns the PAM error code for wrong password. Please follow up with the passwd(1) maintainer if you think this is a bug, but definitely not SSSD problem. Upstream ticket: https://fedorahosted.org/sssd/ticket/1827 Upstream ticket: https://fedorahosted.org/sssd/ticket/2029 Fixed upstream Tested with sssd-1.9.2-128.el6.x86_64 :: [ PASS ] :: Running 'getent passwd sssduser1' (Expected 0, got 0) spawn ssh -o StrictHostKeyChecking=no sssduser1@localhost sssduser1@localhost's password: Last login: Fri Oct 25 13:57:14 2013 from localhost id: cannot find name for group ID 10011 [sssduser1@dhcp207-156 ~]$ passwd Changing password for user sssduser1. Current Password: Password change failed. Server message: Old password not accepted. passwd: Authentication token manipulation error [sssduser1@dhcp207-156 ~]$ passwd Changing password for user sssduser1. Current Password: New password: BAD PASSWORD: it is based on a dictionary word New password: BAD PASSWORD: it is based on a dictionary word New password: BAD PASSWORD: it is based on a dictionary word passwd: Have exhausted maximum number of retries for service [sssduser1@dhcp207-156 ~]$ passwd Changing password for user sssduser1. Current Password: New password: Retype new password: passwd: all authentication tokens updated successfully. :: [ PASS ] :: Running 'su_success sssduser1 LionKing@_123' (Expected 0, got 0) Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1680.html |