Unable to change password on login prompt since linux-pam-1.5.2-r4
commit b69410f4 installed a new /etc/pam.d/login which uses (ultimately) base-auth
for password
The previous login
file (as provided of util-linux-login-2.38.1-r1
on an older system) used base-password
The difference is as follow:
armadillo:/etc/pam.d# grep password base-password
password required pam_unix.so nullok md5 sha512
armadillo:/etc/pam.d# grep password base-auth
password sufficient pam_unix.so nullok sha512 shadow try_first_pass use_authtok
Removing use_authtok
from base-auth makes logging in work again, here's what man pam_unix has to say about it:
use_authtok
When password changing enforce the module to set the new password to the
one provided by a previously stacked password module (this is used in the
example of the stacking of the pam_passwdqc module documented below).
My understanding of the problem is just that there was no previous token, so it couldn't reuse one and failed; and there is no fallback so it just fails there; but I'm not quite sure how that is differnet from try_first_pass... in case the token isn't a password but OTP token perhaps? Anyway...
My naive solution would be to change base-auth to have a second required password after the first sufficient one; so if an authtok was available the first one will be sufficient and pam stops there, and if it wasn't available the user gets prompted for a password again:
password sufficient pam_unix.so nullok sha512 shadow try_first_pass use_authtok
password required pam_unix.so nullok sha512 shadow try_first_pass
What do you think?
cc @psykose who did the change on linux-pam side (didn't check login side)