[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Old Authtok when changing passwords



On Tue, Apr 16, 2002 at 08:33:02AM +0200, Thorsten Kukuk wrote:
> On Mon, Apr 15, Steve Langasek wrote:

> > On Mon, Apr 15, 2002 at 02:09:45PM +0200, Thorsten Kukuk wrote:

> > > If you use shadow passwords and your password expires, login will ask
> > > you to change the password to a new one. This is no problem, if the
> > > password is stored local in /etc/shadow and the old password is
> > > not necessary.

> > > But if the password and the shadow information is stored in a remote
> > > service, where you need the old password to change it, you have lost.

> > > Is there really no way to get the AUTHTOK used in 
> > > pam_sm_authenticate() from pam_sm_chauthtok()? Do I really have to
> > > ask the user a second time for his password?

> > I don't see any general solution to the question of having to prompt for 
> > the password a second time when changing the password.  And indeed, I 
> > don't think this is /all/ bad; I can't think of anything pre-PAM that 
> > did any better, and PAM's support for stackable password changes is a 
> > definite improvement.

> Hm, a normal, shadow capable login program can do it, because it can
> save the first password and reuse it later.

The example I was thinking of was sshd, which has (AFAIK) always, in all 
incarnations, needed to invoke /usr/bin/passwd after authentication if 
the account is expired.  I guess it's been so long since I used a plain, 
PAMless shadow app that I've forgotten how they worked. :)

Steve Langasek
postmodern programmer

Attachment: pgp00003.pgp
Description: PGP signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []