Password prompt four times on password change

[thorian93]

Hi Harry,

I found another, lets call it bug: After applying the role I have to type my password four times when changing it. The normal behaviour would be to type it only twice. Can you reproduce that?

[HarryHarcourt]

Hi Thorian Let me give it a try, do you know a way of automating that test? Best Ben

On Aug 6, 2018, at 12:28 AM, Thorian93 notifications@github.com wrote:

Hi Harry,

I found another, lets call it bug: After applying the role I have to type my password four times when changing it. The normal behaviour would be to type it only twice. Can you reproduce that?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

[HarryHarcourt]

Hi Thorian

So I am guessing you get this: [root@ip-172-31-23-169 ~]# passwd bwright Changing password for user bwright. New password: Retype new password: Retype new password: Enter new UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. [root@ip-172-31-23-169 ~]#

Ok - so I also get the same problem on RedHat 7.5, I think it relates to the password-auth-local template I put in place following our last change, but I will confess I don't know why. Will read up a little and do some tests, as well as log a ticket with the CIS Team (they may have already identified the problem). Best Ben

[HarryHarcourt]

Hi Thorian Logged a discussion ticket with the CIS Benchmarks crew, will see what the response is tomorrow. I have looked around on the web but cannot find anything specific (and I don't have the right level of support access with Red Hat). Best Ben

[thorian93]

Hi Ben,

you are saving my day, thank you! I cannot get any time to research this and I also do not have any knowledege of PAM (as you know already..).

But I can confirm that we are looking at the exact same issue as my systems are CentOS 7.5.1804 with up to date patch level and they show the very prompts you showed earlier.

[HarryHarcourt]

Hi Thorian No problem, I have a response which I can try tonight (I did something similar but it did not work out last night):

From CIS discussions: I think pwquality.so needs to be a single line with two parameters instead of two lines with one parameter each.

Best

On Aug 8, 2018, at 12:04 AM, Thorian93 notifications@github.com wrote:

Hi Ben,

you are saving my day, thank you! I cannot get any time to research this and I also do not have any knowledege of PAM (as you know already..).

But I can confirm that we are looking at the exact same issue as my systems are CentOS 7.5.1804 with up to date patch level and they show the very prompts you showed earlier.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.

[HarryHarcourt]

Hi Thorian I tried this with no joy, found an article and tried that but with no joy: https://support.hpe.com/hpsc/doc/public/display?docId=mmr_kc-0130690 Tried a selection of different options, for now I think I am going to have to build that "section" from scratch again, thus add one parameter, then the next etc, trying it each time. Going on holiday tomorrow, so hopefully early next week I will have a solution. Best Ben

[thorian93]

Hi Ben,

bummer that there is no easy solution apparently. But a big shout out thanks to you for the awesome support and the effort you put into this! 🥇

Have a great holiday and enjoy yourself! 😄

[HarryHarcourt]

Hi Thorian Had feedback from CIS Group, James suggested changing the Auth section above the password section, resulting in:

auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900 auth sufficient pam_unix.so nullok try_first_pass auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900 auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900 auth sufficient pam_unix.so nullok try_first_pass

At least I have two checks to make, validating sudo (for a password) and validating the number of password validations prompts. If there are more let me know.

Thanks

[thorian93]

Hi Ben,

I was waiting for the results of your tests, but I can also assist in testing. Where do I have to put the config snippet you provided exactly to check the functionality?

Thanks

[HarryHarcourt]

Hi Thorian Sorry, I have been tied up in various family things recently, and the football season starts again....

Ran the two tests we are validating against for this configuration (at this point in time): 1) sudo - user still has to enter a password 2) passwd - check that the user only has 2 x password prompts (not currently 4 x)

I have checked and change multiple things, and I think I had something right (during one of the checks) but I cannot seem to replicate it again (darn). What I have learned is that after each change it is wise to run the "authconfig --updateall", even remove the files password-auth-ac and system-auth-ac to force the system to update these files.

I am going to start again with a fresh head tomorrow. Best Ben

[HarryHarcourt]

Ahh - think I have it, the links are wrong (excluding at least a problem with the file). password-auth needs to point to password-auth-ac system-auth needs to point to system-auth-ac Then I don't get the 4 x prompts for the password. Let me revert things back and then simply change the links in the second part of 5.3.2.yml Best Ben

[HarryHarcourt]

Hi Thorian93 I think I have found the issue, corrected and updated accordingly. I tested against both issue 8 and issue 9 and both past. Will wait for your feedback then close. Sorry for the delay. Best Ben

[HarryHarcourt]

Hi Thorian93 Last chance, else I am going to close this. Best Ben

[thorian93]

Hi Ben, now a sorry from my side, I was and am on holidays, so I will test this earliest next week. Feel free to close the issue, I trust your tests and I will go ahead and verify the issue is fixed and update you accordingly as soon as I am able to.

Thank you again for your awesome support! 👍

[HarryHarcourt]

Hi Thorian No problem, will close it, if you want me to review, happy to. Keep well Best Ben

[thorian93]

Quick heads up: It works in our CentOS7 environment. Thanks again! 👍