983028 – passwd returns "Authentication token manipulation error" when entering wrong current password

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 983028 - passwd returns "Authentication token manipulation error" when entering wrong current password

Summary: passwd returns "Authentication token manipulation error" when entering wrong ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	6.4
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Jakub Hrozek
QA Contact:	Kaushik Banerjee
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-07-10 10:20 UTC by Ron van der Wees
Modified:	2020-05-02 17:25 UTC (History)
CC List:	8 users (show)
Fixed In Version:	sssd-1.9.2-121.el6
Doc Type:	Bug Fix
Doc Text:	Cause: User changing hist password via passwd mistyped current password. Consequence: SSSD returned generic error code to passwd which resulted in "Authentication token manipulation error". This message confused user because it looks like a system error. Fix: When user mistype current password, SSSD prints additional message "Old password not accepted". Result: The output of password change now suggest that the current password was not accepted.
Clone Of:
Environment:
Last Closed:	2013-11-21 22:20:39 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 2869	None	closed	Cannot change expired password of an AD user	2021-02-09 16:18:19 UTC
Github	SSSD sssd issues 3071	None	closed	passwd returns "Authentication token manipulation error" when entering wrong current password	2021-02-09 16:18:20 UTC
Red Hat Knowledge Base (Solution)	420803	None	None	None	Never
Red Hat Product Errata	RHBA-2013:1680	normal	SHIPPED_LIVE	sssd bug fix and enhancement update	2013-11-20 21:52:37 UTC

Description Ron van der Wees 2013-07-10 10:20:27 UTC

Description of problem:
Trying to do a password change as a LDAP user using pam_sss.so and entering
the wrong 'current' password results in: passwd: Authentication token
manipulation error

which can be interpreted by a end user as a system error rather then the hint
of a wrong password.

Version-Release number of selected component (if applicable):
sssd-client-1.9.2-82.el6

How reproducible:
Always

Steps to Reproduce:
1. configure ldap server with at least one user
2. configure sssd to use ldap as the id_provider, auth_provider and
   chpass_provider
3. set sss as provider in /etc/nsswitch.conf
4. enable pam_sss in system-auth-ac as per RHEL6 Deployment guide
5. login as the ldap user
6. issue a password change request by running passwd
7. enter a wrong 'current' password


Actual results:
$ passwd
Changing password for user ldapuser.
Current Password: 
passwd: Authentication token manipulation error

Expected results:
More descriptive message like:
Authentication failed for user ldapuser

Additional info:
 * The authentication failure is logged in /var/log/secure as
Jul  9 13:33:11 hostname passwd: pam_sss(passwd:chauthtok): Authentication failed for user ldapuser: 7 (Authentication failure)

* It looks like the pam module returns PAM_AUTHTOK_ERR instead of PAM_AUTH_ERR
* Similar behavior when using pam_unix with a local user

Comment 2 Ron van der Wees 2013-07-10 11:03:18 UTC

Similar issue when the new password does not match the password policy as
configured on the LDAP server:

~~~
$ passwd
Changing password for user ldapuser
Current Password:
New Password:
Reenter new Password:
Password change failed. Server message: Failed to update password

passwd: Authentication token is no longer valid; new one required
~~~

The end user will be unaware of the real reason for the password change reject.

Comment 3 Jakub Hrozek 2013-07-10 11:52:15 UTC

As discussed yesterday on IRC and as you noted, the same happens with a local user. The SSSD correctly returns the PAM error code for wrong password.

Please follow up with the passwd(1) maintainer if you think this is a bug, but definitely not SSSD problem.

Comment 10 Jakub Hrozek 2013-07-25 09:09:21 UTC

Upstream ticket:
https://fedorahosted.org/sssd/ticket/1827

Comment 11 Dmitri Pal 2013-07-25 13:29:21 UTC

Upstream ticket:
https://fedorahosted.org/sssd/ticket/2029

Comment 14 Jakub Hrozek 2013-08-11 20:34:17 UTC

Fixed upstream

Comment 16 Nirupama Karandikar 2013-10-25 13:53:14 UTC

Tested with sssd-1.9.2-128.el6.x86_64


:: [   PASS   ] :: Running 'getent passwd sssduser1' (Expected 0, got 0)
spawn ssh -o StrictHostKeyChecking=no sssduser1@localhost
sssduser1@localhost's password: 
Last login: Fri Oct 25 13:57:14 2013 from localhost
id: cannot find name for group ID 10011
[sssduser1@dhcp207-156 ~]$ passwd
Changing password for user sssduser1.
Current Password: 
Password change failed. Server message: Old password not accepted.
passwd: Authentication token manipulation error
[sssduser1@dhcp207-156 ~]$ passwd
Changing password for user sssduser1.
Current Password: 
New password: 
BAD PASSWORD: it is based on a dictionary word
New password: 
BAD PASSWORD: it is based on a dictionary word
New password: 
BAD PASSWORD: it is based on a dictionary word
passwd: Have exhausted maximum number of retries for service
[sssduser1@dhcp207-156 ~]$ passwd
Changing password for user sssduser1.
Current Password: 
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.
:: [   PASS   ] :: Running 'su_success sssduser1 LionKing@_123' (Expected 0, got 0)

Comment 17 errata-xmlrpc 2013-11-21 22:20:39 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1680.html

Note You need to log in before you can comment on or make changes to this bug.