Before I go off and start checking I'm just wondering if anyone has seen this behaviour before.
[root@fbakirpomd4 ~]# passwd e825390
Changing password for user e825390.
New password:
Retype new password:
Retype new password:
passwd: all authentication tokens updated successfully.
As you can see there is an extra "Retype new Password", the system is;
[root@fbakirpomd4 ~]# uname -a
Linux fbakirpomd4 3.10.0-862.el7.x86_64 #1 SMP Wed Mar 21 18:14:51 EDT 2018 x86_64 x86_64 x86_64 GNU/Linux
[root@fbakirpomd4 ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.5 (Maipo)
[root@fbakirpomd4 ~]#
The system has been built and a new "Security Standard" applied, this was done as a result of a "Security Audit" by a company called CGI.
This will cause an issue with a number of the standard accounts that we have on the servers going forward, the idea is to have a standard build so it has to be correct - one problem that I can foress is that the passwords are changed on the aforementioned accounts using an expect script and the second "Retype new Password" will break the script.
So I thought that I'd ask here before I raise an incident with Red Hat support.
I've seen this when multiple PAM rules are matched for one user or group.
Check pam configuration for such rules.
For instance :
.. other lines ..
password [default=1 success=ignore] pam_succeed_if.so ... <some conditions like uid gid>
password requisite pam_cracklib.so ... <other pw related stuff>
password [default=1 success=ignore] pam_succeed_if.so ... <other conditions for uid gid>
password requisite pam_cracklib.so ... <other pw related stuff>
... other lines...
If a user matches both conditions it will get password prompt twice.
So, AFAIK PAM rules should be very specific and be exclusive, so two rules do not match one group or user.
This is a bit older release, but in newer it is the same, except pam_pwquality.so is used.