From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.7.10) Gecko/20050719 Red Hat/1.0.6-1.4.1 Firefox/1.0.6 Description of problem: During the PAM_PRELIM_CHECK phase of pam_sm_chauthtok, a call to pam_set_item() set the PAM_AUTHTOK item to the validated password. It correctly *uses* PAM_OLDAUTHTOK for use_first_pass is true and correctly sets PAM_AUTHTOK to the *new* password in the PAM_UPDATE_AUTHTOK phase. As you can imagine, this causes problems for stacked modules that follow pam_krb5 that want to use_first_pass. Rather worse than that both calls to pam_set_item() pass "&password" as the last parameter. Since this last parameter is passed to strdup() you store rubbish in pamh->authtok (if you're lucky) or experience a painful segmentation fault (if you're not). That's why I've set this to "high" -- it's a matter of luck that passwd(1) doesn't crash. The other calls to pam_set_item() in auth.c are, thankfully, correct. Version-Release number of selected component (if applicable): pam_krb5-2.1.2-1 How reproducible: Always Steps to Reproduce: 1. grep -n pam_set_item .../pam_krb5-2.1.2-1/src/password.c Actual Results: 187: pam_set_item(pamh, PAM_AUTHTOK, &password); 250: pam_set_item(pamh, PAM_AUTHTOK, &password); Expected Results: 187: pam_set_item(pamh, PAM_OLDAUTHTOK, password); 250: pam_set_item(pamh, PAM_AUTHTOK, password); Additional info:
Created attachment 118639 [details] Proposed patch. Just to save you some work :-) I've tested this, pam_krb5 now behaves as expected when changing passwords.
Fixed in 2.1.16. Thanks!