RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1659100 - Current password prompt inconsistency if wrong password is entered at the first prompt
Summary: Current password prompt inconsistency if wrong password is entered at the fir...
Keywords:
Status: CLOSED DUPLICATE of bug 2179607
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: sssd
Version: 8.0
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: rc
: 8.0
Assignee: jstephen
QA Contact: Dan Lavu
URL:
Whiteboard:
Depends On: 1679650
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-12-13 15:04 UTC by Karel Srot
Modified: 2023-08-01 12:50 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2023-08-01 12:50:38 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 5363 0 None open "Current Password:" shows inappropriately when using passwd to change normal user 2023-08-01 10:05:42 UTC
Red Hat Issue Tracker SSSD-3121 0 None None None 2023-08-01 10:03:53 UTC

Description Karel Srot 2018-12-13 15:04:51 UTC 
Description of problem:

$ passwd
Changing password for user karel.
Current password: 
Current Password: 

Notice the difference in letter 'p' vs 'P' above.

passwd-0.80-2.el8
Comment 2 Jiri Kucera 2019-06-18 00:36:55 UTC 
The "Current password: " prompt comes from PAM (CC'ing tmraz). I am not sure if also the second prompt comes from PAM (`grep -r -E -e 'Current.*Password' .` inside PAM src directory has no match), but surely such a string is not emitted by passwd.
Comment 3 Tomas Mraz 2019-06-18 06:12:51 UTC 
I am tentatively reassigning to authselect as this is the place where the investigation should happen. It depends on the PAM configuration and it is either caused directly by incorrect PAM configuration or by some PAM module in the configuration.
Comment 4 Pavel Březina 2019-06-21 10:51:22 UTC 
Karel, please attach contents of /etc/pam.d/system-auth.
Comment 5 Karel Srot 2019-06-21 10:56:45 UTC 
$ cat /etc/pam.d/system-auth
# Generated by authselect on Fri Jun 21 08:20:27 2019
# Do not modify this file manually.

auth        required                                     pam_env.so
auth        required                                     pam_faildelay.so delay=2000000
auth        [default=1 ignore=ignore success=ok]         pam_succeed_if.so uid >= 1000 quiet
auth        [default=1 ignore=ignore success=ok]         pam_localuser.so
auth        sufficient                                   pam_unix.so nullok try_first_pass
auth        requisite                                    pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient                                   pam_sss.so forward_pass
auth        required                                     pam_deny.so

account     required                                     pam_unix.so
account     sufficient                                   pam_localuser.so
account     sufficient                                   pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required                                     pam_permit.so

password    requisite                                    pam_pwquality.so try_first_pass local_users_only
password    sufficient                                   pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient                                   pam_sss.so use_authtok
password    required                                     pam_deny.so

session     optional                                     pam_keyinit.so revoke
session     required                                     pam_limits.so
-session    optional                                     pam_systemd.so
session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
session     required                                     pam_unix.so
session     optional                                     pam_sss.so
Comment 6 Pavel Březina 2019-06-28 09:34:34 UTC 
Is 'karel' a local or LDAP user?

The message with uppercase 'P' comes probably from SSSD:
src/sss_client/pam_sss.c:                    ret = prompt_2fa(pamh, pi, _("First Factor (Current Password): "),
src/sss_client/pam_sss.c:                    ret = prompt_2fa(pamh, pi, _("First Factor (Current Password): "),
src/sss_client/pam_sss.c:                ret = prompt_password(pamh, pi, _("Current Password: "));
Comment 7 Tomas Mraz 2019-06-28 09:39:53 UTC 
The pam_sss should not ask for the current password again. Either this is a bug in pam_sss or the configuration should add try_first_pass to the password sufficient pam%sss.so line.
Comment 8 Karel Srot 2019-06-28 09:44:57 UTC 
(In reply to Pavel Březina from comment #6)
> Is 'karel' a local or LDAP user?

local user
Comment 9 Karel Srot 2019-06-28 09:47:09 UTC 
I am very sorry, I can see that I didn't state it clearly but I have provided wrong password in the 1st prompt. Therefore the 2nd prompt appeared I guess. Originally, I was really just reporting the difference in the prompt.
Comment 10 Tomas Mraz 2019-06-28 10:02:38 UTC 
OK, this makes the situation more clear. Does pam_sss support use_first_pass option in the password stack? If so, this option should be used with it.

The problem is that even if you entered the right password at the second prompt, the password change would fail anyway. The second prompt is basically useless.
Comment 11 Pavel Březina 2019-06-28 10:53:33 UTC 
Thanks, I can now reproduce it when providing incorrect password for the first time. 'use_first_pass' seems to help, but I'd like to confirm this with Sumit to be clear that it is the right choice and won't break possible 2FA.
Comment 12 Tomas Mraz 2019-06-28 11:53:42 UTC 
2FA should not apply to changing passwords - i.e. pam_sss should fail if invoked in the PAM password stack for an user with 2FA set.
Comment 13 Sumit Bose 2019-06-28 16:16:10 UTC 
Hi,

SSSD currently lets the user change the first factor, the long term component (password), with the help of the passwd command if the user is allowed to change it on the server side. For this pam_sss has to ask for the second factor as well to get the needed authorization to change the first factor. But this is currently handle a bit inflexible by pam_sss, mainly it does not check if the old password was already requested by some other component. So I would suggest to move this ticket to the SSSD component and make sure pam_sss does not ask if the old password is already available.

bye,
Sumit
Comment 14 Pavel Březina 2019-07-01 07:42:21 UTC 
Thank you Sumit. I switched the component to SSSD.
Comment 28 RHEL Program Management 2021-05-21 07:30:55 UTC 
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.
Comment 30 Alexey Tikhonov 2023-08-01 12:50:38 UTC 

*** This bug has been marked as a duplicate of bug 2179607 ***
Note You need to log in before you can comment on or make changes to this bug.