Bug 811168 - fix pam_get_authtok_verify() to respect the authtok_type= option
Summary: fix pam_get_authtok_verify() to respect the authtok_type= option
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: pam
Version: 6.3
Hardware: All
OS: Linux
low
low
Target Milestone: rc
: ---
Assignee: Tomas Mraz
QA Contact: Dalibor Pospíšil
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-04-10 10:26 UTC by Miroslav Vadkerti
Modified: 2013-02-21 10:36 UTC (History)
2 users (show)

Fixed In Version: pam-1.1.1-12.el6
Doc Type: Bug Fix
Doc Text:
Cause: The PAM_AUTHTOK_TYPE PAM item was not properly saved in the pam_get_authtok_verify() function. Consequence: The authentication token type as specified with authtok_type option of pam_cracklib module was not respected in the 'Retype new password' message. Fix: pam_get_authtok_verify() function was fixed to properly save the PAM_AUTHTOK_TYPE item. Result: The authentication token type as specified with authtok_type option of pam_cracklib module is now respected in the 'Retype new password' message.
Clone Of:
Environment:
Last Closed: 2013-02-21 10:36:51 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:0521 0 normal SHIPPED_LIVE Moderate: pam security, bug fix, and enhancement update 2013-02-20 21:28:50 UTC

Description Miroslav Vadkerti 2012-04-10 10:26:23 UTC 
Description of problem:
When using authtok_type parameter for pam_cracklib module the given string isn't shown at retype prompt:

# passwd pamtest6209
Changing password for user pamtest6209.
New PAMTEST password: 
Retype new password: 
passwd: all authentication tokens updated successfully.

According to the man page:
authtok_type=XXX
The default action is for the module to use the following prompts when requesting passwords: "New UNIX password: " and "Retype UNIX password: ". The example word UNIX can be replaced with this option, by default it is empty.

Version-Release number of selected component (if applicable):
pam-1.1.1-10.el6_2.1

How reproducible:
100%

Steps to Reproduce:
1. Set authtok_type for pam:
password required pam_cracklib.so authtok_type=PAMTEST
2. useradd test
3. passwd test
  
Actual results:
functionality <-> man page inconsistency

Expected results:
Man page correct, or string shown also at retype prompt

Additional info:
Not a regression
Comment 1 Tomas Mraz 2012-04-10 13:40:26 UTC 
This depends on the following modules in the PAM stack. If they used the pam_get_authtok() function, it would work. Unfortunately pam_unix doesn't.

Basically this is request to modify pam_unix to use pam_get_authtok() function to obtain the password.
Comment 3 Tomas Mraz 2012-08-09 10:30:38 UTC 
I was wrong in comment #1 - this is actually bug in pam_get_authtok_verify().
Comment 8 errata-xmlrpc 2013-02-21 10:36:51 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0521.html
Note You need to log in before you can comment on or make changes to this bug.