[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: use_first_pass and use_authtok . . .



John R Lane writes:
> My question is regarding the use_first_pass and use_authtok options --
> I didn't implement the use_authtok option; (only use_first_pass and
> debug).  The PAM docs say that "use_first_pass is used to lock the
> choice of old and new passwords to that dictated by the previously
> stacked password module," and that "use_authtok is used to force the
> module to set the new password to the one provided by the previously
> stacked password module."  So, use_authtok is designed to have my
> module use the new password but request the old one directly from the
> user?

Yes.

The reason for this option is that it is convenient when you use a
password strength checking module like pam_cracklib.

> Notably, use_authtok doesn't seem to be documented in the Red Hat PAM
> system administrator's guide, except in module's that use it, though

Could you give me a pointer to this document?  I was not aware that
Red Hat had written one.  Thanks.

> use_first_pass is.  Further this option seems to be missing completely
> from the Solaris 2.6 documentation (though use_first_pass is there).

> Are stackable passwd modules expected to implement both these options?

No.  The only requirements for standard options are set forth in the
original SunSoft RFC:

  http://www.kernel.org/pub/linux/libs/pam/rfc86.0.txt.gz

These requirements are rewritten here:

  http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam-4.html#ss4.3

A module can implement any other arguments that it finds appropriate.

Cheers

Andrew



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []