PAM config: move pam_cracklib to first position
This fixes a bug where Linux-PAM asks for the new password three times
when changing the password. With this fix, PAM asks for the new password
and then only once more to confirm it - two times total.
This bug applies to the `passwd` command, to the expired password dialog
when signing into the console using an account which has an expired
password, and to other similar use of the PAM conversation function such
as changing the password during SSH login.
This does not affect the external behavior of the REST APIs or the webui
because they use automated PAM conversation functions which programmatically
supply the password as many times as it is requested.
The bug happens like this:
When PAM is asked to change a password via pam_chauthtok, it reads the
/etc/pam.d/common-password file and executes the first module, pam_ipmicheck.
This calls pam_get_authtok(pamh, PAM_AUTHTOK, &pass_new, NULL) which prompts
for the new password and then prompts again to verify they are the same.
The next module, pam_cracklib makes two calls: a call to
pam_get_authtok_noverify() followed by a call to pam_get_authtok_verify().
The call to pam_get_authtok_noverify() does NOT prompt because the new
password is already known to PAM, but the call to pam_get_authtok_verify()
unconditionally prompts to validate the password. That's why we see two
prompts to "Retype" the new password. The first is from pam_ipmicheck, and
second is from pam_cracklib/pam_get_authtok_verify.
The fix is to invoke pam_cracklib first and pam_ipmicheck second.
Then pam_cracklib does all if its prompting, and pam_ipmicheck gets what it
needs without prompting. The pam_ipmicheck module only checks the username
and password length, so switching the sequence of these modules should be
harmless.
Tested: yes, via the "passwd USER" command
Signed-off-by: Joseph Reynolds <joseph-reynolds@charter.net>
Change-Id: I2f90a0e931ba9f5deda2beaa6f0c5fe35b2c99b8
1 file changed