DoublePasswordPromt

Special thanks

  • Thanks go to genii from #ubuntu channel for helping me trackdown the issue.

The Probblem

  • When you use sudo or when logging in, you get asked for your password two times (could be more), even though you enter the password correctly the first time.

Reason

  • The reason for the problem is if you tried to install kerberos.

What happens

  • Here is a dump of my /etc/pam.d/common-auth 

# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
#auth   required        pam_unix.so nullok_secure

auth    sufficient      pam_krb5.so ccache=/tmp/krb5cc_%u
auth    sufficient      pam_unix.so likeauth nullok slavik
auth    required        pam_deny.so

Of course, this causes problems.

  • What happens is the first time you enter your password, it tries to authenticate with kerberos using pam_krb5.so (LDAP, OpenDirectory, ActiveDirectory) and fails. Then the pam_unix.so module is called to try and authenticate you it gives you another password promt. This is the one that we want, since it checks password locally.

The fix

  • The fix is very easy, simply make sure that the following line is the first uncommented line (except empty lines)

auth    sufficient      pam_unix.so likeauth nullok slavik

And here is my updated /etc/pam.d/common-auth 

# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
# traditional Unix authentication mechanisms.
#
#auth   required        pam_unix.so nullok_secure
auth    sufficient      pam_unix.so likeauth nullok slavik
auth    sufficient      pam_krb5.so ccache=/tmp/krb5cc_%u
auth    required        pam_deny.so

DoublePasswordPromt (last edited 2008-08-27 14:44:53 by inbound)