Bug 443872 - Three error prompts from pam_unix with use_authtok for old password check
Three error prompts from pam_unix with use_authtok for old password check
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: pam (Show other bugs)
5.1
All Linux
low Severity low
: rc
: ---
Assigned To: Tomas Mraz
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-04-23 15:41 EDT by Chad Hanson
Modified: 2009-01-20 17:04 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-01-20 17:04:27 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
system auth file using pam_passwdqc (947 bytes, text/plain)
2008-04-23 16:06 EDT, Chad Hanson
no flags Details

  None (edit)
Description Chad Hanson 2008-04-23 15:41:52 EDT
Description of problem:
If a user has a password that has expired and is in the X day window where they
can change it before it is rendered inactive and tries to create the new
password with one that was previously used, an error occurs stating "Password
has already been used.  Choose another.".  This error is correct but the user
has to click 3 seperate windows.

Version-Release number of selected component (if applicable):
pam_passwdqc-1.0.2-1.2.2

How reproducible:
Utilize pam_passwdqc in system-auth.
Set "remember=7" for pam_unix.
Cause a few password changes through aging (chage) and then try to change
password to previously used password. 

  
Actual results:
"Password has already been used.  Choose another." is shown three times in a row
to console or gdm.


Expected results:
If the password history was consulted, like cracklib, the user would have
another chance to enter a new password within all of the password constraints.

Additional info:
Doesn't cause a security failure, but this functionality IMHO is inconsistent
with desired behavior.
Comment 1 Tomas Mraz 2008-04-23 15:51:50 EDT
Can you please attach your /etc/pam.d/system-auth-ac ?
Comment 2 Chad Hanson 2008-04-23 16:06:19 EDT
Created attachment 303545 [details]
system auth file using pam_passwdqc
Comment 3 Tomas Mraz 2008-04-23 17:31:06 EDT
The three times repetition of the error message is actually a bug in pam_unix
module which should be fixed. Adding old password check to pam_passwdqc is
undesirable as that would be another duplication of functionality. Also the
pam_passwdqc module is developed by Solar Designer (see
http://www.openwall.com/passwdqc/) not by Red Hat.
Comment 4 RHEL Product and Program Management 2008-06-03 06:37:13 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 5 Chad Hanson 2008-06-03 10:24:53 EDT
Would it be desired to remove this duplication of functionality from
pam_cracklib as well? This is where you get the user experience inconsistency
between cracklib and passwdqc.

I am fine with this solution as stated, but I did want to bring this up.
Comment 6 Tomas Mraz 2008-06-03 10:42:48 EDT
For RHEL-5 we have to leave pam_cracklib as is. But perhaps this change could be
considered in upstream PAM mailing list.
Comment 11 errata-xmlrpc 2009-01-20 17:04:27 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2009-0222.html

Note You need to log in before you can comment on or make changes to this bug.