Proper use of pam_echo
Tomas Mraz
tmraz at redhat.com
Tue Mar 24 12:02:45 UTC 2015
On 24.3.2015 12:48, Big Bacala wrote:
> Greetings. I am trying to understand the subtleties of PAM on a RHEL6
> box, and hope I can gain better insight from more experienced list
> members. I've been examining the official documentation and been
> experimenting quite a bit, but to no avail. Thank you in advance for
> any insight you may provide...
>
> Starting with a very straightforward PAM password stack:
> password requisite pam_cracklib.so minlen=8
> password sufficient pam_unix.so sha512 shadowuse_authtok
>
> password required pam_deny.so
>
> Simple enough. I believe I understand what happens.
>
> Now, insert echo's between each line of the above to trace how things work:
> password optional pam_echo.so TEST LINE 1
> password requisite pam_cracklib.so minlen=8
> password optional pam_echo.so TEST LINE 2
> password sufficient pam_unix.so sha512 shadowuse_authtok
> password optional pam_echo.so TEST LINE 3
> password required pam_deny.so
>
>
> and give it a run...
> [username at box}$ passwd
> Changing password for user username
> TEST LINE 1
> TEST LINE 2
> Changing password for username
> (current) UNIX password: <<use incorrect password here to cause failure>>
> TEST LINE 3
> passwd: Authentication token manipulation error
> I still believe I understand what's happening. So far, so good.
>
> Now, I use the correct (current) password, but fail to enter an
> acceptable new password (eg, <8 characters). TEST LINE 3 does NOT echo
> to the screen in this case, even though the pam_unix line fails. I
> expected it would. What am I missing?
> [username at box}$ passwd
> Changing password for user username
> TEST LINE 1
> TEST LINE 2
> Changing password for username
> (current) UNIX password: <<enter correct password here>>
> New password: <<enter very short password to make fail>>
> BAD PASSWORD: it is WAY too short
> Password: <<repeat bad password to make it fail>>
> passwd: Authentication token manipulation error
You have to understand that there are two passes through the password
modules during the password change.
1. prelim check - here the pam_echo messages are output and the old
password checked
2. the actual change - here the new password is asked for and the change
is done
The TEST LINE 3 is not echoed in your second case because the
pam_unix.so is sufficient and because during the prelim check it
succeeded no module after the pam_unix will be processed.
Tomas Mraz
More information about the Pam-list
mailing list