[Touch-packages] [Bug 1989731] Re: Non-root user unable to change own password if pam_pwhistory is used

Alejandro Santoyo Gonzalez Tue, 08 Nov 2022 08:15:25 -0800

** Also affects: ubuntu-security-certifications
   Importance: Undecided
       Status: New


-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/1989731

Title:
  Non-root user unable to change own password if pam_pwhistory is used

Status in Ubuntu Security Certifications:
  New
Status in pam package in Ubuntu:
  New

Bug description:
  When pam_pwhistory is in use non-root users are unable to change their
  passwords. In fact, they are able to change it but the system spits
  out an error even though the password was indeed changed.

  Reproducer:
  -----------

  1. created an Ubuntu/Focal VM
  2. added a user 'test'

  sudo adduser test # used passwd '123'
  su test

  3. changed the password using 'passwd' logged in as the user 'test'

  passwd test # used passwd '1qaz2wsx'

  4. logged out from 'test' and executed

  echo 'password required pam_pwhistory.so remember=5' | sudo tee -a
  /etc/pam.d/common-password

  5. tried again to follow step 3 as user 'test' but the following
  happens:

  passwd test # used passwd '3edc4rfv' (1)
  Changing password for test.
  Current password:
  New password:
  Retype new password:
  Password has been already used. Choose another.
  passwd: Have exhausted maximum number of retries for service
  passwd: password unchanged

  However, I'm now able to log in as 'test' using the password in
  (1) (the one that was supposedly not set up due to having been
  already used) instead of the old one (the one that should be in
  place since the change process returned an error).

  6. if I comment out 'password required pam_pwhistory.so remember=5'
  then I can log in as 'test' and change the password without issues

  This behavior has been verified with the below package versioning:

  ii  libpam-cap:amd64                1:2.32-1                              
amd64        POSIX 1003.1e capabilities (PAM module)
  ii  libpam-modules:amd64            1.3.1-5ubuntu4.3                      
amd64        Pluggable Authentication Modules for PAM
  ii  libpam-modules-bin              1.3.1-5ubuntu4.3                      
amd64        Pluggable Authentication Modules for PAM - helper binaries
  ii  libpam-runtime                  1.3.1-5ubuntu4.3                      all 
         Runtime support for the PAM library
  ii  libpam-systemd:amd64            245.4-4ubuntu3.15                     
amd64        system and service manager - PAM module
  ii  libpam0g:amd64                  1.3.1-5ubuntu4.3                      
amd64        Pluggable Authentication Modules library

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-security-certifications/+bug/1989731/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1989731] Re: Non-root user unable to change own password if pam_pwhistory is used

Reply via email to