pam_cracklib password history

wayne yu zwyu1 at yahoo.com
Fri Mar 30 15:05:14 UTC 2007 

Hi:
How can I unsubscribe to the pam list?

Thanks

--- Scott Ruckh <sruckh at gemneye.org> wrote:

> lists at trcintl.com wrote:
> > I have been attempting to enable pam_cracklib to
> check a password in a password history file with no
> luck.  No matter what I seem to try, nothing is ever
> added to the opasswd file.  I have tried this on
> several stations with no luck so I must be missing
> something.  I have been following the documentation
> a the following URL:
> > www.deer-run.com/~hal/sysadmin/pam_cracklib.html
> >
> > The problem is I can't seem to get it to work. 
> So, I loaded up a test machine from scratch using
> RHEL 4.4 with all updates as of 3-14-07.  I then did
> the following:
> >
> > 1.)  touch /etc/security/opasswd	{creates the
> necessary old password file}
> > 2.)  chown root:root /etc/security/opasswd
> > 3.)  chmod 600 /etc/security/opasswd
> > Note I have opened the permissions up on this file
> for testing with no more luck.
> > 4.)  I modified the system-auth file which I'm
> pretty sure is the file this flavor of Linux uses
> with the following line:
> > password    sufficient   
> /lib/security/$ISA/pam_unix.so nullok use_authtok
> md5 shadow remember=12
> >
> >
> > Here is the entire file.  The only thing changed
> from the default file is the line above.  I simply
> added remember=12 to it.
> >
> > #%PAM-1.0
> > # This file is auto-generated.
> > # User changes will be destroyed the next time
> authconfig is run.
> > auth        required     
> /lib/security/$ISA/pam_env.so
> > auth        sufficient   
> /lib/security/$ISA/pam_unix.so likeauth nullok
> > auth        required     
> /lib/security/$ISA/pam_deny.so
> >
> > account     required     
> /lib/security/$ISA/pam_unix.so
> > account     sufficient   
> /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
> > account     required     
> /lib/security/$ISA/pam_permit.so
> >
> > password    requisite    
> /lib/security/$ISA/pam_cracklib.so retry=3
> > password    sufficient   
> /lib/security/$ISA/pam_unix.so nullok use_authtok
> md5 shadow remember=12
> > password    required     
> /lib/security/$ISA/pam_deny.so
> >
> > session     required     
> /lib/security/$ISA/pam_limits.so
> > session     required     
> /lib/security/$ISA/pam_unix.so
> >
> > If I change the line above from sufficient to
> required as in the example on the site referenced
> above such as follows:
> > password    sufficient   
> /lib/security/$ISA/pam_unix.so nullok use_authtok
> md5 shadow remember=12
> >
> > I then get the error:
> > passwd:  Authentication token manipulation error
> > {This tells me I must be editing the correct file}
> >
> > What do I need to do to create the password
> history file using pam_cracklib?
> >
> > _______________________________________________
> > Pam-list mailing list
> > Pam-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/pam-list
> >
> >   
> Kyle, I believe you need to add your 'remember=12'
> flag to the account 
> section and not where you have it now (in the
> password section).
> 
> I don not believe this section from the Linux Pam
> Administrators' Guide 
> is very clear.
> 
> The account component performs the task of
> establishing the status of 
> the user's account and password based on the
> following shadow elements: 
> expire, last_change, max_change, min_change,
> warn_change. In the case of 
> the latter, it may offer advice to the user on
> changing their password 
> or, through the PAM_AUTHTOKEN_REQD return, delay
> giving service to the 
> user until they have established a new password. The
> entries listed 
> above are documented in the shadow(5) manual page.
> Should the user's 
> record not contain one or more of these entries, the
> corresponding 
> shadow check is not performed.
> 
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
> 



 
____________________________________________________________________________________
Don't get soaked.  Take a quick peek at the forecast
with the Yahoo! Search weather shortcut.
http://tools.search.yahoo.com/shortcuts/#loc_weather

More information about the Pam-list mailing list