Ubuntu
pam package

a "new password" failure in a requisite PAM module does not prevent setting that password

Bug #198730 reported by AlainKnaff
2
Affects Status Importance Assigned to Milestone
pam (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

If a PAM module fails due to bad "new" password (too simple), the following modules still get called, and set the bad passwords, and this even if module marked as requisite (return to application immediately on error).

This can be seen both by cracklib, and by libpam_unix's own builtin checks.

Example:

password requisite pam_cracklib.so retry=6 minlen=6 difok=3
password required pam_unix.so nullok md5

If a password that is too simple is entered, pam_cracklib complains, but processing still moves on (causing pam_unix to set that bad password).

Here is an example of the dialog:

Changing password for testens.
(current) UNIX password:
New UNIX password:
BAD PASSWORD: is too similar to the old one
New UNIX password:
BAD PASSWORD: is too similar to the old one
New UNIX password:
BAD PASSWORD: is too similar to the old one
New UNIX password:
BAD PASSWORD: is too similar to the old one
New UNIX password:
BAD PASSWORD: is too similar to the old one
New UNIX password:
BAD PASSWORD: is too similar to the old one
Enter new UNIX password:
Retype new UNIX password:
passwd: Authentication token manipulation error
passwd: password unchanged

However, despite the display "password unchanged", it is indeed unchanged.

The problem happens independently of whether pam_cracklib is declared as required or requisite.

The problem also happens if the failing module is pam_unix (due to its own builtin minimal password strength check) and is followed by another module (such as pam_ldap). In that case the situation becomes much worse, because here we'll end up with the LDAP password changed, but the Unix password still equal to the old one. In such a situation, the user may no longer be able to change his password, because the "old" password no longer can match both LDAP and Unix.

Due to the fact that different "error raising" modules are impacted (pam_cracklib and pam_unix), and that different "password setting" modules are impacted (pam_unix and pam_ldap), I believe that the cause must lie within PAM itself, rather than the modules.

Revision history for this message
AlainKnaff (kubuntu-misc) wrote :

Ok, found out how to do it:

Adding use_authtok to all subsequent modules fixes the issue.

Sorry for the "false alert".

Revision history for this message
Steve Langasek (vorlon) wrote :

Thank you for taking the time to report this issue and help to improve Ubuntu.

In addition to the 'use_authtok' solution, which is recommended generally, the specific problem you reported has been resolved as of pam 1.0.1-6:

pam (1.0.1-6) unstable; urgency=low

  * Updated debconf translations:
    - Vietnamese, thanks to Clytie Siddall <email address hidden>
  * New patch dont_freeze_password_chain, cherry-picked from upstream:
    don't always follow the same path through the password stack on
    the PAM_UPDATE_AUTHTOK pass as was used in the PAM_PRELIM_CHECK
    pass; this Linux-PAM deviation from the original PAM spec causes a
    number of problems, in particular causing wrong return values when
    using the refactored pam-auth-update stack. LP: #303515, #305882.

Changed in pam:
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.