Linux PAM stack strangeness with pam_cracklib/pam_pwcheck
Marcin Krzysztof Porwit
mporwit at centeris.com
Thu May 3 21:17:04 UTC 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I'm running into some bizzarre behavior on SuSE and RedHat systems. I'm
trying to insert another module to do password strength checking, and if
that check fails, then the entire password change should fail. My config
looks as follows:
password requisite pam_lwipasspolicy.so debug
password requisite pam_pwcheck.so nullok cracklib
password required pam_unix2.so nullok use_authtok
Setting "requisite" on pam_lwipasspolicy should mean that if it fails,
then pam_cracklib or pam_pwcheck is not even supposed to be called,
since pam_lwipasspolicy returns PAM_AUTHTOK_ERR. Strangely, however,
pam_cracklib and pam_pwcheck both reprompt for the password. No amount
of tweaking has produced the expected behavior.
You can emulate this behavior by taking a RedHat system and putting
pam_cracklib in twice in a row, both times set to requisite. Same would
go for SuSE and pam_pwcheck.
Can anyone tell me why this is happening? BTW, if the prelim check of
pam_lwipasspolicy (and pam_cracklib) returns a failure, "requisite"
works as expected. It is only on the actual request that the error does
not appear to be honored.
- --
Marcin Krzysztof Porwit
mporwit at centeris.com
#include <stddisclaimer.h>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFGOlFQ4OZU6cX5VBERAo5YAJwJ7QaVMY4iInshuuJqopYMN42peQCeJMwb
JxFer3wCP5Yv9nejK5ZvXEo=
=K2ej
-----END PGP SIGNATURE-----
More information about the Pam-list
mailing list