Bug 987997

Summary: RHEL 5.x/6.x - Password is getting changed even After error message received from PAM module
Product: Red Hat Enterprise Linux 6 Reporter: nagesh.bhagwat
Component: pamAssignee: Tomas Mraz <tmraz>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.4   
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-19 13:20:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description nagesh.bhagwat 2013-07-24 14:06:18 UTC 
Description of problem:

Platform RHEL 5.x/6.x

We have written sample PAM plugin and our PAM plugin basically detect the password changes and store this into local repository Now we wanted to put some password validation on password that we accept/store for the user.

When we are trying to change user password using 'passwd testuser' and enter the new password which comply to password policy defined, then we have new password updated in local repository as well as user new password is updated in OS as well.

But when we try to change the password which against password policy.. my PAM application reject the password and doesn't store password in local repository and also sent error code back to operating system, here OS throws an error but even though error is received OS allow to change the password of user.

[root@testmachine pam]# passwd testuser1 
Changing password for user testuser1. 
New UNIX password: 
Retype new UNIX password: 
passwd: Authentication token manipulation error

Entry in /etc/pam.d.system-auth

password requisite pam_cracklib.so try_first_pass retry=3 
password required pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient MyPAMModule.so 
password required pam_deny.so

Not sure why password is still getting changed instead of error, our PAM module library send "PAM_AUTHTOK_ERR" back to Linux operating system? why does OS allow for password change?




Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 2 RHEL Program Management 2013-10-14 03:02:04 UTC 
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 3 Tomas Mraz 2014-06-19 13:20:27 UTC 
You either have to stack your module before pam_unix and use different action than 'sufficient', or you have to return the error in the PAM_PRELIM_CHECK phase of password change.