passwd asks for new password 4 times

Question

I just had a strange experience. I created a new user on a server (Ubuntu 10.04, Plesk installed) and then wanted to set the password. Look at that output:

# useradd dev
# passwd dev
Enter new password:
Retype new password:
Geben Sie ein neues UNIX-Passwort ein: 
Geben Sie das neue UNIX-Passwort erneut ein:

I had to give a password 4 times. The latter 2 prompts are in german. The password for the latter 2 requests needed to differ from the one given first. What's going on here?

update: # cat /etc/pam.d/passwd # # The PAM configuration file for the Shadow `passwd' service #

@include common-password

# cat /etc/pam.d/system-auth
cat: /etc/pam.d/system-auth: Datei oder Verzeichnis nicht gefunden

(/etc/pam.d/system-auth doesn't exist) Btw. can I somehow set all such output to be english, without changing system locale (which may affect other things)?

update2:

# cat /etc/pam.d/common-password 

# here are the per-package modules (the "Primary" block)
password optional pam_plesk.so try_first_pass
password        [success=1 default=ignore]      pam_unix.so obscure sha512
# here's the fallback if no module succeeds
password        requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password        required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config

Looks like Plesk is the culprit. Correct?

Can you provide `/etc/pam.d/passwd` and `/etc/pam.d/system-auth` if they exist? If they dont exist what distro are you running? — phemmer, Mar 18 '12 at 02:10
@Patrick: "Ubuntu 10.04, Plesk installed", as per the question. — womble, Mar 18 '12 at 02:53

score 3 · Accepted Answer · answered Mar 18 '12 at 18:22

The passwd command uses PAM (Pluggable Authentication Modules), which ask the user for passwords and update password hashes in /etc/shadow and/or any other auth backends you've configured. PAM for the passwd command is configured in /etc/pam.d/passwd, which, in your case, merely includes /etc/pam.d/common-password.

You can read a quick introduction about PAM with man 7 pam.

Now I'm not familiar with Plesk, and I'm still a bit of an amateur when it comes to PAM, but I'd be inclined to swap the first two non-blank, non-comment lines so that pam_unix comes before pam_plesk:

...
# here are the per-package modules (the "Primary" block)
password        [success=1 default=ignore]      pam_unix.so obscure sha512
password        optional                        pam_plesk.so try_first_pass
# here's the fallback if no module succeeds
password        requisite                       pam_deny.so
...

I'll tell you why. You see that try_first_pass option after pam_plesk? It means that if this particular module is being run after a different one, one that already asked for the user's password, then it should try to reuse that password instead of asking again. However since pam_plesk runs first, there's no already-entered password to try, so you get the first two prompts. And then pam_unix runs, and it doesn't have try_first_pass either, so you get the other two prompts.

Alternatively you could try adding try_first_pass to the pam_unix line.

Make a backup of the common-passwd file, just in case, so you can rever the changes if they do not work. I don't have access to Plesk so I cannot test the suggested changes myself.

For being a pam amateur, you understand it well enough. Everything you said is correct :-) — phemmer, Mar 18 '12 at 19:44

score 1 · Answer 2 · answered Aug 26 '21 at 08:46

In my case linux passwd change command asking me to Retype new password twice. Ideally it should be once

So i removed below line from /etc/pam.d/passwd file. Post that passwd command not asking me to Retype new password twice.

 password  required  pam_pwquality.so  retry=5

Pre Artifact:

 
[root@linuxvmproddbserver ~]# cat /etc/pam.d/passwd
#%PAM-1.0
auth       include      system-auth
account    include      system-auth
password   substack     system-auth
-password   optional    pam_gnome_keyring.so use_authtok
password   substack     postlogin
password  required  pam_pwquality.so  retry=5

Post Artifact:

 
[root@linuxvmproddbserver ~]# cat /etc/pam.d/passwd
#%PAM-1.0
auth       include      system-auth
account    include      system-auth
password   substack     system-auth
-password   optional    pam_gnome_keyring.so use_authtok
password   substack     postlogin

passwd asks for new password 4 times

2 Answers2