pam storing sessions with old passwords?
Frank Nørvig
frank at noervig.dk
Fri Apr 11 06:32:20 UTC 2008
I did some further testing and it seems it's a PAM problem and not LDAP
as it's different servers (with Fedora 4 and pam 0.79) that remember the
old password for different users. We only have one LDAP server so if it
was LDAP was caching the old password, it would be possible to log in
with the old password on all servers but that's not the case.
Also we were able to test it further with one of our users. She changed
password 4 days ago and was still able to login with both her old (1)
and new (2) password. We changed the password again (3) and this time
she was able to login with her (1) password and (3) password, but not
(2). Again, we changed it (4) and this time same pattern - she was able
to login with (1) and (4) but not (2) and (3). And again with (5) it was
same pattern.
It seems like PAM stores a session of an old password that it
"recognizes" and instead of checking the password with the LDAP server
it just lets the user in. Even when the user gets a new password and
logs in with it :(
--- Frank
http://www.noervig.dk
More information about the Pam-list
mailing list