passwd myuser

Changing password for myuser

Enter old password for myuser:

Enter new password for myuser:

Retype new password for myuser:

Retype new password for myuser: <-- This line is redundant

As a result of this password rotations in PAM fail and so do many applications which were expecting password prompt to be required only twice for the new password.

UNAB releases prior to 14.10.50.80

SUSE Linux Enterprise Server 15 SP3

Possibly other SUSE versions affected

This is caused by a change in the common-passwd specification under /etc/pam.d which is introduced by UNAB versions prior to 14.10.50.80

The original SUSE 15 SP3 common-password configuration (prior to installing UNAB or PAM) contains the following lines:

password        requisite       pam_cracklib.so retry=8 difok=4 minlen=12 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1
password        required        pam_pwhistory.so        remember=24
password        required        pam_unix.so     use_authtok nullok shadow try_first_pass

But after installing UNAB, this is changed to

password  optional  pam_unix_passwd.so
password    sufficient  pam_uxauth.so
password        requisite       pam_cracklib.so retry=8 difok=4 minlen=12 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1
password        required        pam_pwhistory.so        remember=24
password        required        pam_unix.so     use_authtok nullok shadow try_first_pass

It is this first password  optional  pam_unix_passwd.so that is causing the issue to appear.

A workaround may be to comment out  password  optional  pam_unix_passwd.so and move the password    sufficient  pam_uxauth.so line to the last one so that password is passed from the PAM stack

However, this is a known issue which has been fixed in UNAB version 14.10.50.80, so the recommended way is to install that upgrade

It must be pointed out that the pam.d components are quite different across OS, so other flavors of Linux may not be affected by the same problem in older versions of the UNAB package