[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [patch] pam_unix_passwd PAM_AUTHTOK stacking bug



On Sat, Aug 03, 2002 at 03:10:42PM -0700, Matt Piotrowski wrote:
> I am writing a module that is stacked below pam_unix in order to have 
> access to PAM_OLDAUTHTOK and PAM_AUTHTOK after a password change.  
> Normally, this works great: a non-null PAM_AUTHTOK is passed down the 
> stack only upon a successful password change. However, in certain 
> situations, a non-null PAM_AUTHTOK is passed down the stack after a 
> failed password change.  For example, using a module which simply prints 
> out PAM_OLDAUTHTOK and PAM_AUTHTOK and is stacked below pam_unix, we can 
> see the following exchange:


> [user@redhat72 user]$ passwd
> Changing password for user
> (current) UNIX password: [password]
> stacked module: old authtok obtained for user user: password
> stacked module: new authtok obtained for user user: (null)
> Enter new UNIX password: [a]
> Retype new UNIX password: [a]
> You must choose a longer password
> Enter new UNIX password: [a]
> Retype new UNIX password: [a]
> You must choose a longer password
> Enter new UNIX password: [a]
> Retype new UNIX password: [a]
> You must choose a longer password
> stacked module: old authtok obtained for user user: arrowhead
> stacked module: new authtok obtained for user user: a
> passwd: Authentication token manipulation error

> So, here the stacked module thinks that the password has been 
> successfully changed to "a", when it, in fact, has not.

The stacked module thinks no such thing:  the presence of PAM_AUTHTOK and
PAM_OLDAUTHTOK only indicates that the user has /input/ these values, it
says nothing at all about whether the password has been changed.  Modules
should not in fact presume to know anything at all about other modules in
the stack.

If what you are trying to achieve is preventing modules lower in the
stack from changing the password when a module above it has failed, the
correct solution is to use the 'requisite' tag on any modules that are
mandatory.  When libpam sees 'requisite' instead of 'required', stack
processing stops immediately in the event of a module failure.

Steve Langasek
postmodern programmer

Attachment: pgp00000.pgp
Description: PGP signature


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []