Bug 2228098 - password prompt is printed twice for local user on authselect sssd profile
Summary: password prompt is printed twice for local user on authselect sssd profile
Keywords:
Status: VERIFIED
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: authselect
Version: 9.2
Hardware: All
OS: All
unspecified
low
Target Milestone: rc
: ---
Assignee: Pavel Březina
QA Contact: Dan Lavu
URL:
Whiteboard: sync-to-jira
Depends On: 2179607
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-08-01 11:59 UTC by Pavel Březina
Modified: 2023-08-16 13:27 UTC (History)
5 users (show)

Fixed In Version: authselect-1.2.6-2.el9
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 2179607
Environment:
Last Closed:
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHELPLAN-164011 0 None None None 2023-08-01 13:00:05 UTC
Red Hat Issue Tracker SSSD-6497 0 None None None 2023-08-01 13:00:20 UTC

Description Pavel Březina 2023-08-01 11:59:00 UTC 
+++ This bug was initially created as a clone of Bug #2179607 +++

Description of problem:

On a IdM/AD joined host where authselect sssd profile is selected, when a local user deliberately enters an incorrect password, a second password prompt is printed:

testuser1 is a local user which exist in /etc/passwd.

~~~
[testuser1@host ~]$ id
uid=1002(testuser1) gid=1002(testuser1) groups=1002(testuser1) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

[testuser1@host ~]$ passwd
Changing password for user testuser1.
Current password:            <<<<<===== input incorrect password
Current Password:            <<<<<===== note a different password prompt, capital "P"
passwd: Authentication token manipulation error
~~~

Log message in /var/log/secure suggests that the second password prompt belongs to pam_sss:

~~~
unix_chkpwd[61458]: password check failed for user (testuser1)
passwd[61456]: pam_unix(passwd:chauthtok): authentication failure; logname= uid=1002 euid=0 tty=pts/2 ruser= rhost=  user=testuser1
passwd[61456]: pam_sss(passwd:chauthtok): Authentication failed for user testuser1: 4 (System error)
~~~

~~~
# cat system-auth 
<...>

password    requisite                                    pam_pwquality.so local_users_only
password    sufficient                                   pam_unix.so sha512 shadow nullok use_authtok
password    sufficient                                   pam_sss.so use_authtok
password    required                                     pam_deny.so
~~~

=========

The issue is resolved after adding "pam_localuser" to distinguish local users so that the user will not be evaluated by pam_sss.

~~~
password    requisite                                    pam_pwquality.so local_users_only
password    sufficient                                   pam_unix.so sha512 shadow nullok use_authtok
password    [success=1 default=ignore]                   pam_localuser.so
password    sufficient                                   pam_sss.so use_authtok
password    required                                     pam_deny.so
~~~


Version-Release number of selected component (if applicable):
# rpm -qa | grep authselect
authselect-libs-1.2.5-2.el8_7.x86_64
authselect-compat-1.2.5-2.el8_7.x86_64
authselect-1.2.5-2.el8_7.x86_64


How reproducible:
All the time

Actual results:
Password prompt is printed twice when incorrect password is entered

Expected results:
If incorrect password is entered, password prompt should be printed once and terminate/return failure.

Additional info:

--- Additional comment from Pavel Březina on 2023-04-03 10:30:34 UTC ---

Thank you, I can reproduce the issue.

Upstream ticket: https://github.com/authselect/authselect/issues/338

--- Additional comment from Pavel Březina on 2023-06-29 12:14:16 UTC ---

Upstream PR: https://github.com/authselect/authselect/pull/344
Note You need to log in before you can comment on or make changes to this bug.