[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: RedHat 7.2 pam_unix.so and PAM_AUTHTOK?





Thanks for the links. The tip about the not_set_pass argument sounds like what
I was looking for, but unfortunately it did not fix the problem. With or without the option,
pam_unix is preventing the passwords from being available to my module. Maybe
this is a bug.

I replaced pam_unix.so with pam_pwdb.so in my stack list, and that allowed my
module to retrieve the passwords as expected, so I do not think the problem is
in my module or configuration. I guess I will have to go to the source to try to figure
out why pam_unix is clearing the password tokens. Maybe the module is
doing something that requires it to be the last in line for password management.

-Jonathan
jkung@us.ibm.com


Please respond to pam-list@redhat.com

Sent by: pam-list-admin@redhat.com

To: pam-list@redhat.com
cc:
Subject: Re: RedHat 7.2 pam_unix.so and PAM_AUTHTOK?



On Wed, 2002-07-31 at 03:26, jkung@us.ibm.com wrote:
>
> Hi,
>
> >From what I have been able to observe on RedHat 7.2, the pam_unix.so
> password module clears the PAM_AUTHTOK and PAM_OLDAUTHTOK
> tokens so the next stacked password module can not call pam_get_item
> for the data. Is there an argument that can be passed to the pam_unix.so
> password module that will tell it to not clear the tokens?  I want to write
> a pam module that can be called after pam_unix.so, and I want to use
> the passwords that were previously entered by the user.  If I missed some
> documentation or a previous thread on this, I apologize and would
> appreciate a pointer to the info.

Use the argument 'use_first_pass' for your module.

eg:

password required pam_unix.so <arguments>
password required my_module use_first_pass <other arguments>


try_first_pass should work too.


See also:
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam-4.html#ss4.3
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_modules-4.html


Also check that this is NOT set:

"The not_set_pass argument is used to inform the module that it is not
to pay attention to/make available the old or new passwords from/to
other (stacked) password modules."

That's from
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam-6.html#ss6.26


Failing that, set debug and poke around in the source to see what it's
doing wrong.




Jenn V.
--

jenn@anthill.echidna.id.au     http://anthill.echidna.id.au/~jenn/




_______________________________________________
Pam-list mailing list
Pam-list@redhat.com
https://listman.redhat.com/mailman/listinfo/pam-list

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []