Description of problem: If a user has a password that has expired and is in the X day window where they can change it before it is rendered inactive and tries to create the new password with one that was previously used, an error occurs stating "Password has already been used. Choose another.". This error is correct but the user has to click 3 seperate windows. Version-Release number of selected component (if applicable): pam_passwdqc-1.0.2-1.2.2 How reproducible: Utilize pam_passwdqc in system-auth. Set "remember=7" for pam_unix. Cause a few password changes through aging (chage) and then try to change password to previously used password. Actual results: "Password has already been used. Choose another." is shown three times in a row to console or gdm. Expected results: If the password history was consulted, like cracklib, the user would have another chance to enter a new password within all of the password constraints. Additional info: Doesn't cause a security failure, but this functionality IMHO is inconsistent with desired behavior.
Can you please attach your /etc/pam.d/system-auth-ac ?
Created attachment 303545 [details] system auth file using pam_passwdqc
The three times repetition of the error message is actually a bug in pam_unix module which should be fixed. Adding old password check to pam_passwdqc is undesirable as that would be another duplication of functionality. Also the pam_passwdqc module is developed by Solar Designer (see http://www.openwall.com/passwdqc/) not by Red Hat.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
Would it be desired to remove this duplication of functionality from pam_cracklib as well? This is where you get the user experience inconsistency between cracklib and passwdqc. I am fine with this solution as stated, but I did want to bring this up.
For RHEL-5 we have to leave pam_cracklib as is. But perhaps this change could be considered in upstream PAM mailing list.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2009-0222.html