pam_passwdqc ldap problems
'Solar Designer'
solar at openwall.com
Wed Aug 25 00:36:49 UTC 2004
On Tue, Aug 24, 2004 at 07:29:23PM -0400, Adams, Chris M, CTR,, DMDCWEST wrote:
> > You should have stacked pam_passwdqc after pam_dhkeys, not before.
> > And there should be no need for "ask_oldauthtok=update
> > check_oldauthtok" on your recent/patched Solaris 8 (it's almost
> > Solaris 9 in fact).
>
> Thanks for the info, although changing the order there didn't fix the
> problem. When I took out the ask_oldauthtok=update check_oldauthtok, it
> went back to failing at the very end. When I put them back in, it works
> just like before, even with the order swapped. I don't think the ordering
> should matter in this case since pam_dhkeys is used for diffie-hellman keys
> and secure rpc, which we aren't using.
Yes. I should have been more explicit. I think your main problem was
that you commented out the "passwd auth ..." line. Please try the
exact 4 lines from my previous e-mail and let me know of your results.
> I had tried both scenarios listed in PLATFORMS, and since I have patch
> 108993-33, I originally commented out pam_authtok_get and pam_authtok_check,
That's correct.
> but had to use the ask_oldauthtok=update check_oldauthtok options to get it
> to work, so it's sort of a kludge of both scenarios.
Hmm. The "passwd auth ..." should have taken care of the old password
request.
--
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598 fp: 6429 0D7E F130 C13E C929 6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments
More information about the Pam-list
mailing list