[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Pam+NIS+passwd


> Pam_unix2
> This module from Thorsten Kukuk improves the NIS support for changing
> passwords compared to the standard pam_unix module although has a smaller
> number of options than the former.  Pam_unix2 doesn't need a specific
> option to change the nis passwords, it's "clever" enough to find out
> whether the account it's dealing with is local or NIS.  In this case the
> configuration of the file /etc/pam.d/passwd is simpler:
> password   required	pam_cracklib.so retry=3 retry=3 minlen=9 difok=3

Why not use pam_pwcheck?

> password   required	pam_unix2 md5 use_authok
> In the first entry pam_cracklib checks the quality of the new password and
> in the second the correct password is changed be it local or NIS.  With
> pam_unix2 when the root user in a NIS client wants to change the NIS
> password of a normal user, he is not asked for the root password of the NIS
> server but for the old password of the user, the philosophy here is that
> it's enough to know the user password to be able to change it.
> This module is promising but unfortunately is not ready enough for general
> use in the situation showed here, the problems found were:
> -The debug option described in the documentation doesn't work and causes an
>  error through syslog:
>  petrel PAM-unix2[2880]: password: Unknown option: debug

Fixed on current SuSE Linux distributions.

> -When a password is changed successfully there is no record through syslog.

Why should there a syuslog entry on the client? It is much simpler to 
have this all on the server.

> -The option use_authok described in the documentation and essential for
>  this situation is not supported giving the following error through syslog:
>  petrel PAM-unix2[3501]: password: Unknown option: use_authok
Typo of the README, the source and all other modules should show you that
the correct argument is "use_authtok"

> -The module doesn't work at all when it is stacked with pam_cracklib, and
>  again this is essential for the described situation.

It should work, but I prefer pam_pwcheck instead of pam_cracklib.


Thorsten Kukuk       http://www.suse.de/~kukuk/        kukuk@suse.de
SuSE Linux AG        Deutschherrenstr. 15-19       D-90429 Nuernberg
Key fingerprint = A368 676B 5E1B 3E46 CFCE  2D97 F8FD 4E23 56C6 FB4B

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []