Red Hat Bugzilla – Bug 987997
RHEL 5.x/6.x - Password is getting changed even After error message received from PAM module
Last modified: 2014-06-19 09:20:27 EDT
Description of problem:
Platform RHEL 5.x/6.x
We have written sample PAM plugin and our PAM plugin basically detect the password changes and store this into local repository Now we wanted to put some password validation on password that we accept/store for the user.
When we are trying to change user password using 'passwd testuser' and enter the new password which comply to password policy defined, then we have new password updated in local repository as well as user new password is updated in OS as well.
But when we try to change the password which against password policy.. my PAM application reject the password and doesn't store password in local repository and also sent error code back to operating system, here OS throws an error but even though error is received OS allow to change the password of user.
[root@testmachine pam]# passwd testuser1
Changing password for user testuser1.
New UNIX password:
Retype new UNIX password:
passwd: Authentication token manipulation error
Entry in /etc/pam.d.system-auth
password requisite pam_cracklib.so try_first_pass retry=3
password required pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient MyPAMModule.so
password required pam_deny.so
Not sure why password is still getting changed instead of error, our PAM module library send "PAM_AUTHTOK_ERR" back to Linux operating system? why does OS allow for password change?
Version-Release number of selected component (if applicable):
Steps to Reproduce:
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
You either have to stack your module before pam_unix and use different action than 'sufficient', or you have to return the error in the PAM_PRELIM_CHECK phase of password change.