Red Hat Bugzilla – Bug 443872
Three error prompts from pam_unix with use_authtok for old password check
Last modified: 2009-01-20 17:04:27 EST
Description of problem:
If a user has a password that has expired and is in the X day window where they
can change it before it is rendered inactive and tries to create the new
password with one that was previously used, an error occurs stating "Password
has already been used. Choose another.". This error is correct but the user
has to click 3 seperate windows.
Version-Release number of selected component (if applicable):
Utilize pam_passwdqc in system-auth.
Set "remember=7" for pam_unix.
Cause a few password changes through aging (chage) and then try to change
password to previously used password.
"Password has already been used. Choose another." is shown three times in a row
to console or gdm.
If the password history was consulted, like cracklib, the user would have
another chance to enter a new password within all of the password constraints.
Doesn't cause a security failure, but this functionality IMHO is inconsistent
with desired behavior.
Can you please attach your /etc/pam.d/system-auth-ac ?
Created attachment 303545 [details]
system auth file using pam_passwdqc
The three times repetition of the error message is actually a bug in pam_unix
module which should be fixed. Adding old password check to pam_passwdqc is
undesirable as that would be another duplication of functionality. Also the
pam_passwdqc module is developed by Solar Designer (see
http://www.openwall.com/passwdqc/) not by Red Hat.
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release. Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products. This request is not yet committed for inclusion in an Update
Would it be desired to remove this duplication of functionality from
pam_cracklib as well? This is where you get the user experience inconsistency
between cracklib and passwdqc.
I am fine with this solution as stated, but I did want to bring this up.
For RHEL-5 we have to leave pam_cracklib as is. But perhaps this change could be
considered in upstream PAM mailing list.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.