987997 – RHEL 5.x/6.x - Password is getting changed even After error message received from PAM module

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 987997 - RHEL 5.x/6.x - Password is getting changed even After error message received from PAM module

Summary: RHEL 5.x/6.x - Password is getting changed even After error message received ...

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	pam
Sub Component:
Version:	6.4
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Tomas Mraz
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-07-24 14:06 UTC by nagesh.bhagwat
Modified:	2014-06-19 13:20 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-06-19 13:20:27 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description nagesh.bhagwat 2013-07-24 14:06:18 UTC

Description of problem:

Platform RHEL 5.x/6.x

We have written sample PAM plugin and our PAM plugin basically detect the password changes and store this into local repository Now we wanted to put some password validation on password that we accept/store for the user.

When we are trying to change user password using 'passwd testuser' and enter the new password which comply to password policy defined, then we have new password updated in local repository as well as user new password is updated in OS as well.

But when we try to change the password which against password policy.. my PAM application reject the password and doesn't store password in local repository and also sent error code back to operating system, here OS throws an error but even though error is received OS allow to change the password of user.

[root@testmachine pam]# passwd testuser1
Changing password for user testuser1.
New UNIX password:
Retype new UNIX password:
passwd: Authentication token manipulation error

Entry in /etc/pam.d.system-auth

password requisite pam_cracklib.so try_first_pass retry=3
password required pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient MyPAMModule.so
password required pam_deny.so

Not sure why password is still getting changed instead of error, our PAM module library send "PAM_AUTHTOK_ERR" back to Linux operating system? why does OS allow for password change?

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.
2.
3.

Actual results:

Expected results:

Additional info:

Comment 2 RHEL Program Management 2013-10-14 03:02:04 UTC

This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.

Comment 3 Tomas Mraz 2014-06-19 13:20:27 UTC

You either have to stack your module before pam_unix and use different action than 'sufficient', or you have to return the error in the PAM_PRELIM_CHECK phase of password change.

Note You need to log in before you can comment on or make changes to this bug.