Bug 811168 - fix pam_get_authtok_verify() to respect the authtok_type= option
fix pam_get_authtok_verify() to respect the authtok_type= option
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: pam (Show other bugs)
All Linux
low Severity low
: rc
: ---
Assigned To: Tomas Mraz
Dalibor Pospíšil
Depends On:
  Show dependency treegraph
Reported: 2012-04-10 06:26 EDT by Miroslav Vadkerti
Modified: 2013-02-21 05:36 EST (History)
2 users (show)

See Also:
Fixed In Version: pam-1.1.1-12.el6
Doc Type: Bug Fix
Doc Text:
Cause: The PAM_AUTHTOK_TYPE PAM item was not properly saved in the pam_get_authtok_verify() function. Consequence: The authentication token type as specified with authtok_type option of pam_cracklib module was not respected in the 'Retype new password' message. Fix: pam_get_authtok_verify() function was fixed to properly save the PAM_AUTHTOK_TYPE item. Result: The authentication token type as specified with authtok_type option of pam_cracklib module is now respected in the 'Retype new password' message.
Story Points: ---
Clone Of:
Last Closed: 2013-02-21 05:36:51 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Miroslav Vadkerti 2012-04-10 06:26:23 EDT
Description of problem:
When using authtok_type parameter for pam_cracklib module the given string isn't shown at retype prompt:

# passwd pamtest6209
Changing password for user pamtest6209.
New PAMTEST password: 
Retype new password: 
passwd: all authentication tokens updated successfully.

According to the man page:
The default action is for the module to use the following prompts when requesting passwords: "New UNIX password: " and "Retype UNIX password: ". The example word UNIX can be replaced with this option, by default it is empty.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Set authtok_type for pam:
password required pam_cracklib.so authtok_type=PAMTEST
2. useradd test
3. passwd test
Actual results:
functionality <-> man page inconsistency

Expected results:
Man page correct, or string shown also at retype prompt

Additional info:
Not a regression
Comment 1 Tomas Mraz 2012-04-10 09:40:26 EDT
This depends on the following modules in the PAM stack. If they used the pam_get_authtok() function, it would work. Unfortunately pam_unix doesn't.

Basically this is request to modify pam_unix to use pam_get_authtok() function to obtain the password.
Comment 3 Tomas Mraz 2012-08-09 06:30:38 EDT
I was wrong in comment #1 - this is actually bug in pam_get_authtok_verify().
Comment 8 errata-xmlrpc 2013-02-21 05:36:51 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.