#2029 passwd returns "Authentication token manipulation error" when entering wrong current password
Closed: Fixed None Opened 5 years ago by dpal.

Description of problem:
Trying to do a password change as a LDAP user using pam_sss.so and entering
the wrong 'current' password results in: passwd: Authentication token
manipulation error

which can be interpreted by a end user as a system error rather then the hint
of a wrong password.

Version-Release number of selected component (if applicable):
sssd-client-1.9.2-82.el6

How reproducible:
Always

Steps to Reproduce:
1. configure ldap server with at least one user
2. configure sssd to use ldap as the id_provider, auth_provider and
   chpass_provider
3. set sss as provider in /etc/nsswitch.conf
4. enable pam_sss in system-auth-ac as per RHEL6 Deployment guide
5. login as the ldap user
6. issue a password change request by running passwd
7. enter a wrong 'current' password


Actual results:
$ passwd
Changing password for user ldapuser.
Current Password: 
passwd: Authentication token manipulation error

Expected results:
More descriptive message like:
Authentication failed for user ldapuser

Additional info:
 * The authentication failure is logged in /var/log/secure as
Jul  9 13:33:11 hostname passwd: pam_sss(passwd:chauthtok): Authentication failed for user ldapuser: 7 (Authentication failure)

* It looks like the pam module returns PAM_AUTHTOK_ERR instead of PAM_AUTH_ERR
* Similar behavior when using pam_unix with a local user

I discussed the issue on IRC with Stephen. We came to the conclusion that we should add a quite generic message along the lines of "Old password not accepted". The reason for such a generic message is that it's not quite clear that all the scenarios where the bind with the old password would end up returning PAM_AUTH_ERROR would also mean that the old password was mistyped.

Fields changed

owner: somebody => mzidek

resolution: => fixed
status: new => closed

Fields changed

changelog: => When the user enters old password wrong during a password change, the SSSD now prints a more descriptive error message.

Metadata Update from @dpal:
- Issue assigned to mzidek
- Issue set to the milestone: SSSD 1.10.2

2 years ago

Login to comment on this ticket.

Metadata