Non-root user unable to change own password if pam_pwhistory is used
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Ubuntu Security Guide |
Fix Released
|
Undecided
|
David Fernandez Gonzalez | ||
| pam (Ubuntu) |
In Progress
|
Undecided
|
Unassigned | ||
Bug Description
When pam_pwhistory is in use non-root users are unable to change their passwords. In fact, they are able to change it but the system spits out an error even though the password was indeed changed.
Reproducer:
-----------
1. created an Ubuntu/Focal VM
2. added a user 'test'
sudo adduser test # used passwd '123'
su test
3. changed the password using 'passwd' logged in as the user 'test'
passwd test # used passwd '1qaz2wsx'
4. logged out from 'test' and executed
echo 'password required pam_pwhistory.so remember=5' | sudo tee -a /etc/pam.
5. tried again to follow step 3 as user 'test' but the following happens:
passwd test # used passwd '3edc4rfv' (1)
Changing password for test.
Current password:
New password:
Retype new password:
Password has been already used. Choose another.
passwd: Have exhausted maximum number of retries for service
passwd: password unchanged
However, I'm now able to log in as 'test' using the password in
(1) (the one that was supposedly not set up due to having been
already used) instead of the old one (the one that should be in
place since the change process returned an error).
6. if I comment out 'password required pam_pwhistory.so remember=5'
then I can log in as 'test' and change the password without issues
This behavior has been verified with the below package versioning:
ii libpam-cap:amd64 1:2.32-1 amd64 POSIX 1003.1e capabilities (PAM module)
ii libpam-
ii libpam-modules-bin 1.3.1-5ubuntu4.3 amd64 Pluggable Authentication Modules for PAM - helper binaries
ii libpam-runtime 1.3.1-5ubuntu4.3 all Runtime support for the PAM library
ii libpam-
ii libpam0g:amd64 1.3.1-5ubuntu4.3 amd64 Pluggable Authentication Modules library
| affects: | ubuntu → pam (Ubuntu) |
| affects: | ubuntu-security-certifications → usg |
| Changed in usg: | |
| assignee: | nobody → David Fernandez Gonzalez (litios) |
| status: | New → In Progress |
| Alejandro Santoyo Gonzalez (al3jandrosg) wrote | #1 |
| Alejandro Santoyo Gonzalez (al3jandrosg) wrote | #2 |
| David Fernandez Gonzalez (litios) wrote | #3 |
| Changed in pam (Ubuntu): | |
| status: | New → Fix Committed |
| status: | Fix Committed → In Progress |
| Changed in usg: | |
| status: | In Progress → Fix Committed |
| Eduardo Barretto (ebarretto) wrote | #4 |
| Changed in usg: | |
| status: | Fix Committed → Fix Released |
It seems like if the line:
'password required pam_pwhistory.so remember=5'
is added before the pam_unix line in /etc/pam.
everything works as expected because the new password now won't match the "old" password that was already in the shadow file (which is what happens if pam_pwhistory line is set after pam_unix).
The problem is that the CIS tooling for Ubuntu seems to be adding this line at the end of the file
hence causing the issue. Do we need to modify this bug in any way to ensure the CIS implementation is amended/fixed as needed?