[Bug 1989731] [NEW] Non-root user unable to change own password if pam_pwhistory is used

Launchpad Bug Tracker 1989731 at bugs.launchpad.net
Thu Sep 15 14:24:23 UTC 2022 

You have been subscribed to a public bug:

When pam_pwhistory is in use non-root users are unable to change their
passwords. In fact, they are able to change it but the system spits out
an error even though the password was indeed changed.

Reproducer:
-----------

1. created an Ubuntu/Focal VM
2. added a user 'test'

sudo adduser test # used passwd '123'
su test

3. changed the password using 'passwd' logged in as the user 'test'

passwd test # used passwd '1qaz2wsx'

4. logged out from 'test' and executed

echo 'password required pam_pwhistory.so remember=5' | sudo tee -a
/etc/pam.d/common-password

5. tried again to follow step 3 as user 'test' but the following
happens:

passwd test # used passwd '3edc4rfv' (1)
Changing password for test.
Current password:
New password:
Retype new password:
Password has been already used. Choose another.
passwd: Have exhausted maximum number of retries for service
passwd: password unchanged

However, I'm now able to log in as 'test' using the password in
(1) (the one that was supposedly not set up due to having been
already used) instead of the old one (the one that should be in
place since the change process returned an error).

6. if I comment out 'password required pam_pwhistory.so remember=5'
then I can log in as 'test' and change the password without issues

This behavior has been verified with the below package versioning:

ii  libpam-cap:amd64                1:2.32-1                              amd64        POSIX 1003.1e capabilities (PAM module)
ii  libpam-modules:amd64            1.3.1-5ubuntu4.3                      amd64        Pluggable Authentication Modules for PAM
ii  libpam-modules-bin              1.3.1-5ubuntu4.3                      amd64        Pluggable Authentication Modules for PAM - helper binaries
ii  libpam-runtime                  1.3.1-5ubuntu4.3                      all          Runtime support for the PAM library
ii  libpam-systemd:amd64            245.4-4ubuntu3.15                     amd64        system and service manager - PAM module
ii  libpam0g:amd64                  1.3.1-5ubuntu4.3                      amd64        Pluggable Authentication Modules library

** Affects: pam (Ubuntu)
     Importance: Undecided
         Status: New

-- 
Non-root user unable to change own password if pam_pwhistory is used
https://bugs.launchpad.net/bugs/1989731
You received this bug notification because you are a member of Ubuntu Foundations Bugs, which is subscribed to pam in Ubuntu.

More information about the foundations-bugs mailing list