[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pam_passwdqc, ssh and expired passwords



Gary Winiger <gww at marduk.eng.sun.com> points out that the following
Solaris 8 bugs all of which are fixed in Solaris 9 are very likely
relevant to this problem:

4284795 when passwd is given the -r option, it ignores /etc/pam.conf
4415159 unix_scheme pam_chauthtok does not stack
4415162 unix_scheme pam_chauthtok too tightly coupled with passwd

It seems like we should really try with Solaris 9.

On Thu, Jun 27, 2002 at 04:10:22PM +1000, John Warburton wrote:
> 
> Hi
> 
> Thanks for the reply - well I can change my password as either myself or
> root:
> 
> johnw@dawkins% passwd johnw
> Enter current password:
> 
> You can now choose the new password.
> 
> A valid password should be a mix of upper and lower case letters,
> digits and other characters.  You can use an 8 character long
> password with characters from at least 3 of these 4 classes, or
> a 7 character long password containing characters from all the
> classes.  Characters that form a common pattern are discarded by
> the check.
> 
> Enter new password:
> Re-type new password:
> passwd (SYSTEM): passwd successfully changed for johnw
> 
> AND
> 
> root@dawkins# passwd johnw
> 
> You can now choose the new password.
> 
> A valid password should be a mix of upper and lower case letters,
> digits and other characters.  You can use an 8 character long
> password with characters from at least 3 of these 4 classes, or
> a 7 character long password containing characters from all the
> classes.  Characters that form a common pattern are discarded by
> the check.
> 
> Enter new password:
> Re-type new password:
> passwd (SYSTEM): passwd successfully changed for johnw
> 
> so, it looks like that is working OK.
> 
> If I try & login with telnet, I get a similar effort:
> 
> % telnet dawkins
> 
> Connected to dawkins.
> Escape character is '^]'.
> 
> SunOS 5.8
> login: johnw
> Password:
> Choose a new password.
> 
> You can now choose the new password.
> 
> A valid password should be a mix of upper and lower case letters,
> digits and other characters.  You can use an 8 character long
> password with characters from at least 3 of these 4 classes, or
> a 7 character long password containing characters from all the
> classes.  Characters that form a common pattern are discarded by
> the check.
> 
> Enter new password:
> Re-type new password:
> telnet(SYSTEM): Sorry.
> Connection closed by foreign host.
> 
> Jun 27 16:14:29 dawkins login: [ID 308033 auth.debug] pam_acct_mgmt: error
> Get new authentication token
> Jun 27 16:14:36 dawkins login: [ID 125209 auth.debug] pam_chauthtok: error
> Authentication token manipulation error
> Jun 27 16:14:36 dawkins login: [ID 376080 auth.crit] change password
> failure: Authentication token manipulation error
> 
> So this is not limited to SSH
> 
> Hope this helps pin the issue
> 
> Thanks
> 
> John

-- 
/sd





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []