Bug 987997 - RHEL 5.x/6.x - Password is getting changed even After error message received from PAM module
RHEL 5.x/6.x - Password is getting changed even After error message received ...
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: pam (Show other bugs)
x86_64 Linux
unspecified Severity medium
: rc
: ---
Assigned To: Tomas Mraz
BaseOS QE Security Team
Depends On:
  Show dependency treegraph
Reported: 2013-07-24 10:06 EDT by nagesh.bhagwat
Modified: 2014-06-19 09:20 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2014-06-19 09:20:27 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description nagesh.bhagwat 2013-07-24 10:06:18 EDT
Description of problem:

Platform RHEL 5.x/6.x

We have written sample PAM plugin and our PAM plugin basically detect the password changes and store this into local repository Now we wanted to put some password validation on password that we accept/store for the user.

When we are trying to change user password using 'passwd testuser' and enter the new password which comply to password policy defined, then we have new password updated in local repository as well as user new password is updated in OS as well.

But when we try to change the password which against password policy.. my PAM application reject the password and doesn't store password in local repository and also sent error code back to operating system, here OS throws an error but even though error is received OS allow to change the password of user.

[root@testmachine pam]# passwd testuser1 
Changing password for user testuser1. 
New UNIX password: 
Retype new UNIX password: 
passwd: Authentication token manipulation error

Entry in /etc/pam.d.system-auth

password requisite pam_cracklib.so try_first_pass retry=3 
password required pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient MyPAMModule.so 
password required pam_deny.so

Not sure why password is still getting changed instead of error, our PAM module library send "PAM_AUTHTOK_ERR" back to Linux operating system? why does OS allow for password change?

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

Actual results:

Expected results:

Additional info:
Comment 2 RHEL Product and Program Management 2013-10-13 23:02:04 EDT
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 3 Tomas Mraz 2014-06-19 09:20:27 EDT
You either have to stack your module before pam_unix and use different action than 'sufficient', or you have to return the error in the PAM_PRELIM_CHECK phase of password change.

Note You need to log in before you can comment on or make changes to this bug.