[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: password-changing HOWTO?

On Wed, 31 Jul 1996, Elliot Lee wrote:

> Well, if the user changes their password, the module needs to make sure
> that the user is really changing their password when it expires, and in
> other cases.

Shouldn't the auth module be checking for expiry?  The password module 
should just handle management of the token and keep track of its age, and 
maybe report the password as expired if queried, BUT, it shouldn't 
be actively checking the expiry and then forcing a change - /bin/login 
should do that via the auth module.

> The problem is that the password module cannot distinguish between when
> root is running 'passwd' from the command line to set a user's password,
> and when root is running 'login' from 'getty' to log in a user.

It seems like we've got some confusion over what is in the authentication
module and what's in the password module (well, I'm confused anyway).  If
I'm not mistaken, all the password module should do is return PAM_SUCCESS
if the token entered matches that in the database, otherwise return an
If you call the change_token function, the password module should just 
change the token in the database, WITHOUT worrying about authentication 
(that should be taken care of by the token changing program).

So, if the euid is 0, just call pam_chauthtok, if not, pam_authenticate
and then call pam_chauthtok (I don't have the specs in front of me; these 
function names probably aren't quite right).


Judd Bourgeois      | When we are planning for posterity,
shagboy@bluesky.net | we ought to remember that virtue is
Finger for PGP key  | not hereditary.        Thomas Paine

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []