Bug 983028 - passwd returns "Authentication token manipulation error" when entering wrong current password
Summary: passwd returns "Authentication token manipulation error" when entering wrong ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.4
Hardware: All
OS: Linux
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Jakub Hrozek
QA Contact: Kaushik Banerjee
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-07-10 10:20 UTC by Ron van der Wees
Modified: 2020-05-02 17:25 UTC (History)
8 users (show)

Fixed In Version: sssd-1.9.2-121.el6
Doc Type: Bug Fix
Doc Text:
Cause: User changing hist password via passwd mistyped current password. Consequence: SSSD returned generic error code to passwd which resulted in "Authentication token manipulation error". This message confused user because it looks like a system error. Fix: When user mistype current password, SSSD prints additional message "Old password not accepted". Result: The output of password change now suggest that the current password was not accepted.
Clone Of:
Environment:
Last Closed: 2013-11-21 22:20:39 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 2869 0 None closed Cannot change expired password of an AD user 2021-02-09 16:18:19 UTC
Github SSSD sssd issues 3071 0 None closed passwd returns "Authentication token manipulation error" when entering wrong current password 2021-02-09 16:18:20 UTC
Red Hat Knowledge Base (Solution) 420803 0 None None None Never
Red Hat Product Errata RHBA-2013:1680 0 normal SHIPPED_LIVE sssd bug fix and enhancement update 2013-11-20 21:52:37 UTC

Description Ron van der Wees 2013-07-10 10:20:27 UTC
Description of problem:
Trying to do a password change as a LDAP user using pam_sss.so and entering
the wrong 'current' password results in: passwd: Authentication token
manipulation error

which can be interpreted by a end user as a system error rather then the hint
of a wrong password.

Version-Release number of selected component (if applicable):
sssd-client-1.9.2-82.el6

How reproducible:
Always

Steps to Reproduce:
1. configure ldap server with at least one user
2. configure sssd to use ldap as the id_provider, auth_provider and
   chpass_provider
3. set sss as provider in /etc/nsswitch.conf
4. enable pam_sss in system-auth-ac as per RHEL6 Deployment guide
5. login as the ldap user
6. issue a password change request by running passwd
7. enter a wrong 'current' password


Actual results:
$ passwd
Changing password for user ldapuser.
Current Password: 
passwd: Authentication token manipulation error

Expected results:
More descriptive message like:
Authentication failed for user ldapuser

Additional info:
 * The authentication failure is logged in /var/log/secure as
Jul  9 13:33:11 hostname passwd: pam_sss(passwd:chauthtok): Authentication failed for user ldapuser: 7 (Authentication failure)

* It looks like the pam module returns PAM_AUTHTOK_ERR instead of PAM_AUTH_ERR
* Similar behavior when using pam_unix with a local user

Comment 2 Ron van der Wees 2013-07-10 11:03:18 UTC
Similar issue when the new password does not match the password policy as
configured on the LDAP server:

~~~
$ passwd
Changing password for user ldapuser
Current Password:
New Password:
Reenter new Password:
Password change failed. Server message: Failed to update password

passwd: Authentication token is no longer valid; new one required
~~~

The end user will be unaware of the real reason for the password change reject.

Comment 3 Jakub Hrozek 2013-07-10 11:52:15 UTC
As discussed yesterday on IRC and as you noted, the same happens with a local user. The SSSD correctly returns the PAM error code for wrong password.

Please follow up with the passwd(1) maintainer if you think this is a bug, but definitely not SSSD problem.

Comment 10 Jakub Hrozek 2013-07-25 09:09:21 UTC
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1827

Comment 11 Dmitri Pal 2013-07-25 13:29:21 UTC
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2029

Comment 14 Jakub Hrozek 2013-08-11 20:34:17 UTC
Fixed upstream

Comment 16 Nirupama Karandikar 2013-10-25 13:53:14 UTC
Tested with sssd-1.9.2-128.el6.x86_64


:: [   PASS   ] :: Running 'getent passwd sssduser1' (Expected 0, got 0)
spawn ssh -o StrictHostKeyChecking=no sssduser1@localhost
sssduser1@localhost's password: 
Last login: Fri Oct 25 13:57:14 2013 from localhost
id: cannot find name for group ID 10011
[sssduser1@dhcp207-156 ~]$ passwd
Changing password for user sssduser1.
Current Password: 
Password change failed. Server message: Old password not accepted.
passwd: Authentication token manipulation error
[sssduser1@dhcp207-156 ~]$ passwd
Changing password for user sssduser1.
Current Password: 
New password: 
BAD PASSWORD: it is based on a dictionary word
New password: 
BAD PASSWORD: it is based on a dictionary word
New password: 
BAD PASSWORD: it is based on a dictionary word
passwd: Have exhausted maximum number of retries for service
[sssduser1@dhcp207-156 ~]$ passwd
Changing password for user sssduser1.
Current Password: 
New password: 
Retype new password: 
passwd: all authentication tokens updated successfully.
:: [   PASS   ] :: Running 'su_success sssduser1 LionKing@_123' (Expected 0, got 0)

Comment 17 errata-xmlrpc 2013-11-21 22:20:39 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1680.html


Note You need to log in before you can comment on or make changes to this bug.