Proper use of pam_echo
Big Bacala
bigbacala at outlook.com
Tue Mar 24 11:48:17 UTC 2015
Greetings. I am trying to understand the subtleties of PAM on a RHEL6 box, and hope I can gain better insight from more experienced list members. I've been examining the official documentation and been experimenting quite a bit, but to no avail. Thank you in advance for any insight you may provide...
Starting with a very straightforward PAM password stack:
password requisite pam_cracklib.so minlen=8
password sufficient pam_unix.so sha512 shadow use_authtok
password required pam_deny.so
Simple enough. I believe I understand what happens.
Now, insert echo's between each line of the above to trace how things work:
password optional pam_echo.so TEST LINE 1
password requisite pam_cracklib.so minlen=8
password optional pam_echo.so TEST LINE 2
password sufficient pam_unix.so sha512 shadow use_authtok
password optional pam_echo.so TEST LINE 3
password required pam_deny.so
and give it a run...
[username at box}$ passwd
Changing password for user username
TEST LINE 1
TEST LINE 2
Changing password for username
(current) UNIX password: <<use incorrect password here to cause failure>>
TEST LINE 3
passwd: Authentication token manipulation error
I still believe I understand what's happening. So far, so good.
Now, I use the correct (current) password, but fail to enter an acceptable new password (eg, <8 characters). TEST LINE 3 does NOT echo to the screen in this case, even though the pam_unix line fails. I expected it would. What am I missing?
[username at box}$ passwd
Changing password for user username
TEST LINE 1
TEST LINE 2
Changing password for username
(current) UNIX password: <<enter correct password here>>
New password: <<enter very short password to make fail>>
BAD PASSWORD: it is WAY too short
Password: <<repeat bad password to make it fail>>
passwd: Authentication token manipulation error
Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20150324/1e450d20/attachment.htm>
More information about the Pam-list
mailing list