-
Notifications
You must be signed in to change notification settings - Fork 233
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"Current Password:" shows inappropriately when using passwd to change normal user #5363
Comments
Hi, can you add your PAM configuration for the passwd command? It is typically bye, |
Thank you for your attention. |
Hi, thanks, yes, this really looks like the default, can you send /etc/pam.d/system-auth as well? bye, |
Hi, auth required pam_env.so account required pam_unix.so password requisite pam_pwquality.so try_first_pass local_users_only session optional pam_keyinit.so revoke |
Hi, this looks ok as well. Can you run passwd with strace like
and attach /tmp/passwd.out to this ticket? Please note that /tmp/passwd.out will contain the passwords you are entering at the prompt so please make sure you are using dummy passwords for the test. bye, |
Hi, please confirm the following result. |
Hi, thanks for the strace output. Can you check if
I can only reproduce the behavior you are seeing if it is missing for both binaries. You can also check with
where bye, |
Hi, please confirm the result. Thanks. |
Hi, this looks good, so next try, does your
bye, |
Hi, |
Hi, are there messages in the journal or in /var/log/secure at the time you are trying to change the password? Does the password change work if you comment out bye, |
Hi, The message in /var/log/secure: And I commented out assword sufficient pam_sss.so use_authtok in /etc/pam.d/system-auth, And if you need further confirmation, please install Fedora ,it will make the investigation more efficient. |
Hi, for a user from
I'm using a dedicated Fedora 33 VM since you've opened the ticket trying to reproduce your issue but it is working as expected for me:
bye,
|
Hi, |
Hi, thanks, now it make sense. This was also reported in https://bugzilla.redhat.com/show_bug.cgi?id=1659100 and the reason is that SSSD does not properly check if some other module has already asked for the old password. @justin-stephenson, I think you can use this as the upstream-ticket for the issue. Do you want to add the link to the bugzilla ticket or shall I? bye, |
Hi, @sumit-bose @justin-stephenson |
@sumit-bose @justin-stephenson |
Hi, unfortunately this is only a workaround if you only have local users. If SSSD manages non-local users, e.g. user from LDAP or AD, then using So the issue needs a fix in pam_sss. bye, |
Will be handled via authselect/authselect#338 / authselect/authselect#344 |
"Current Password:" shows inappropriately when using passwd command to change the password of the normal user.
Whether the input password on the right of “Current Password:” is correct or not , it will fail.
[root@localhost ~]# su test
[test@localhost root]$ passwd
Changing password for user test.
Current password:
Current Password:
passwd: Authentication token manipulation error
[test@localhost root]$
By the way, the first message "Current password:" is from the pam package,
the seccond message "Current Password:" is from the sssd package.
The text was updated successfully, but these errors were encountered: