Description of problem: The remember functionality of pam_unix can compare against the wrong username’s old passwords if the username is a substring of another username. The substring must be at the beginning of both usernames for this to occur. For example, a username ‘test’ will look at the old passwords of ‘test123’. Version-Release number of selected component (if applicable): pam-0.99.6.2-6.el5_5.2.i386.rpm How reproducible: Always Steps to Reproduce: 1. Make sure remember=8 or something similar is enabled on pam_unix in the password stack 2. Create a user ‘test1’ and change the password a few times 3. Create a user ‘test’ and change the password to a previous password of test1 Actual results: The password change is denied, however, it should not have been. Expected results: The password change is allowed. Additional info: You can see the erroneous code in pam_unix_passwd.c inside of the pam_unix module directory (in function save_old_password): while (fgets(buf, 16380, opwfile)) { if (!strncmp(buf, forwho, strlen(forwho))) { The fix is to search for a line that starts with the username followed immediately by a colon. The same erroneous code exists in "pam_unix_passwd.c" in function check_old_password: while (fgets(buf, 16380, opwfile)) { if (!strncmp(buf, forwho, strlen(forwho))) {
You can use pam_pwhistory instead of pam_unix remember feature. It is available in the current pam package in the Red Hat Enterprise Linux 5. For the bugfix request for remember feature of pam_unix please use the regular support channels http://www.redhat.com/support so the request can be properly prioritized.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release.
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: There was a bug in the user matching when looking old password entries in /etc/security/opasswd in the pam_unix module when option remember is used. Due to the bug users whose usernames were a substring of another username could get mixed up the old password entries with the another user. The string matching of usernames was fixed so only exactly the same usernames are matched. After the fix the old password entries of users are not mixed up anymore.
Aargh - the test is right but the same repeated bug is also in pam_cracklib that is used in the password stack as well. I need to fix it there as well.
Technical note updated. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -1,4 +1,4 @@ -There was a bug in the user matching when looking old password entries in /etc/security/opasswd in the pam_unix module when option remember is used. +There was a bug in the user matching when looking old password entries in /etc/security/opasswd in the pam_unix and pam_cracklib modules when option remember is used. Due to the bug users whose usernames were a substring of another username could get mixed up the old password entries with the another user. The string matching of usernames was fixed so only exactly the same usernames are matched. After the fix the old password entries of users are not mixed up anymore.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0032.html