Bug 57532 - pam_cracklib not seeing old password when chained with pam_ldap
Summary: pam_cracklib not seeing old password when chained with pam_ldap
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: nss_ldap   
(Show other bugs)
Version: 7.2
Hardware: i686
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: Aaron Brown
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2001-12-14 22:44 UTC by John Dalbec
Modified: 2007-04-18 16:38 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2001-12-19 19:09:37 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch to set PAM_OLDAUTHTOK item during prelim check (737 bytes, patch)
2001-12-18 21:57 UTC, John Dalbec
no flags Details | Diff

Description John Dalbec 2001-12-14 22:44:02 UTC
From Bugzilla Helper:
User-Agent: Mozilla/4.77 [en] (X11; U; Linux 2.4.9-12 i686)

Description of problem:
This is a bad interaction between several components.  The "passwd" program
calls pam_chauthtok().  On PAM_PRELIM_CHECK, pam_cracklib's
pam_sm_chauthtok() does (essentially) nothing.  Then pam_ldap's
pam_sm_chauthtok() gets the old password and stores it in
PADL_LDAP_AUTHTOK_DATA with pam_set_data() (but not in PAM_OLDAUTHTOK with
pam_set_item()).  Now pam_cracklib gets control again for the update, but
it's looking for the old password in PAM_OLDAUTHTOK with pam_get_item() and
can't find it.  This disables certain checks such as simple().

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Define an LDAP account.
2. As the LDAP user, change its password.
3. Enter 'qwerty' at the 'New UNIX password:' prompt.
	

Actual Results:  Retype new UNIX password:

Expected Results:  BAD PASSWORD: is too simple

Additional info:

pam_ldap.h:#define PADL_LDAP_OLDAUTHTOK_DATA "PADL-LDAP-OLDAUTHTOK-DATA"
pam_modules.h:#define PAM_OLDAUTHTOK  7	/* The old authentication token */

This could be fixed by setting the PAM_OLDAUTHTOK item in pam_ldap or by
changing pam_cracklib to retrieve a current password and save it in
PAM_OLDAUTHTOK when not running as root.

Comment 1 John Dalbec 2001-12-18 21:57:35 UTC
Created attachment 40968 [details]
patch to set PAM_OLDAUTHTOK item during prelim check

Comment 2 John Dalbec 2001-12-19 19:09:32 UTC
The patch I attached includes my fix for bug #56201.


Note You need to log in before you can comment on or make changes to this bug.