passwd asks for new password 4 times [closed]
I just had a strange experience. I created a new user on a server (Ubuntu 10.04, Plesk installed) and then wanted to set the password. Look at that output:
# useradd dev
# passwd dev
Enter new password:
Retype new password:
Geben Sie ein neues UNIX-Passwort ein:
Geben Sie das neue UNIX-Passwort erneut ein:
I had to give a password 4 times. The latter 2 prompts are in german. The password for the latter 2 requests needed to differ from the one given first. What's going on here?
update: # cat /etc/pam.d/passwd # # The PAM configuration file for the Shadow `passwd' service #
@include common-password
# cat /etc/pam.d/system-auth
cat: /etc/pam.d/system-auth: Datei oder Verzeichnis nicht gefunden
(/etc/pam.d/system-auth doesn't exist) Btw. can I somehow set all such output to be english, without changing system locale (which may affect other things)?
update2:
# cat /etc/pam.d/common-password
# here are the per-package modules (the "Primary" block)
password optional pam_plesk.so try_first_pass
password [success=1 default=ignore] pam_unix.so obscure sha512
# here's the fallback if no module succeeds
password requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
Looks like Plesk is the culprit. Correct?
The passwd command uses PAM (Pluggable Authentication Modules), which ask the user for passwords and update password hashes in /etc/shadow and/or any other auth backends you've configured. PAM for the passwd command is configured in /etc/pam.d/passwd, which, in your case, merely includes /etc/pam.d/common-password.
You can read a quick introduction about PAM with man 7 pam.
Now I'm not familiar with Plesk, and I'm still a bit of an amateur when it comes to PAM, but I'd be inclined to swap the first two non-blank, non-comment lines so that pam_unix comes before pam_plesk:
...
# here are the per-package modules (the "Primary" block)
password [success=1 default=ignore] pam_unix.so obscure sha512
password optional pam_plesk.so try_first_pass
# here's the fallback if no module succeeds
password requisite pam_deny.so
...
I'll tell you why. You see that try_first_pass option after pam_plesk? It means that if this particular module is being run after a different one, one that already asked for the user's password, then it should try to reuse that password instead of asking again. However since pam_plesk runs first, there's no already-entered password to try, so you get the first two prompts. And then pam_unix runs, and it doesn't have try_first_pass either, so you get the other two prompts.
Alternatively you could try adding try_first_pass to the pam_unix line.
Make a backup of the common-passwd file, just in case, so you can rever the changes if they do not work. I don't have access to Plesk so I cannot test the suggested changes myself.
In my case linux passwd change command asking me to Retype new password twice. Ideally it should be once
So i removed below line from /etc/pam.d/passwd file. Post that passwd command not asking me to Retype new password twice.
password required pam_pwquality.so retry=5
Pre Artifact:
[root@linuxvmproddbserver ~]# cat /etc/pam.d/passwd #%PAM-1.0 auth include system-auth account include system-auth password substack system-auth -password optional pam_gnome_keyring.so use_authtok password substack postlogin password required pam_pwquality.so retry=5
Post Artifact:
[root@linuxvmproddbserver ~]# cat /etc/pam.d/passwd #%PAM-1.0 auth include system-auth account include system-auth password substack system-auth -password optional pam_gnome_keyring.so use_authtok password substack postlogin