Proper use of pam_echo

Tomas Mraz tmraz at redhat.com
Tue Mar 24 12:02:45 UTC 2015 

On 24.3.2015 12:48, Big Bacala wrote:
> Greetings.  I am trying to understand the subtleties of PAM on a RHEL6
> box, and hope I can gain better insight from more experienced list
> members.  I've been examining the official documentation and been
> experimenting quite a bit, but to no avail.  Thank you in advance for
> any insight you may provide...
>
> Starting with a very straightforward PAM password stack:
>    password   requisite    pam_cracklib.so minlen=8
>    password   sufficient   pam_unix.so sha512 shadowuse_authtok
>
>    password   required     pam_deny.so
>
> Simple enough. I believe I understand what happens.
>
> Now, insert echo's between each line of the above to trace how things work:
>    password   optional     pam_echo.so  TEST LINE 1
>    password   requisite    pam_cracklib.so minlen=8
>    password   optional     pam_echo.so  TEST LINE 2
>    password   sufficient   pam_unix.so sha512 shadowuse_authtok
>    password   optional     pam_echo.so  TEST LINE 3
>    password   required     pam_deny.so
>
>
> and give it a run...
>    [username at box}$ passwd
>    Changing password for user username
>    TEST LINE 1
>    TEST LINE 2
>    Changing password for username
>    (current) UNIX password: <<use incorrect password here to cause failure>>
>    TEST LINE 3
>    passwd: Authentication token manipulation error
> I still believe I understand what's happening. So far, so good.
>
> Now, I use the correct (current) password, but fail to enter an
> acceptable new password (eg, <8 characters).  TEST LINE 3 does NOT echo
> to the screen in this case, even though the pam_unix line fails.  I
> expected it would.  What am I missing?
>    [username at box}$ passwd
>    Changing password for user username
>    TEST LINE 1
>    TEST LINE 2
>    Changing password for username
>    (current) UNIX password: <<enter correct password here>>
>    New password: <<enter very short password to make fail>>
>    BAD PASSWORD: it is WAY too short
>    Password: <<repeat bad password to make it fail>>
>    passwd: Authentication token manipulation error

You have to understand that there are two passes through the password 
modules during the password change.
1. prelim check - here the pam_echo messages are output and the old 
password checked
2. the actual change - here the new password is asked for and the change 
is done

The TEST LINE 3 is not echoed in your second case because the 
pam_unix.so is sufficient and because during the prelim check it 
succeeded no module after the pam_unix will be processed.

Tomas Mraz

More information about the Pam-list mailing list