Proper use of pam_echo
Tomas Mraz
tmraz at redhat.com
Wed Mar 25 08:16:31 UTC 2015
On 24.3.2015 20:27, Big Bacala wrote:
> Thank you for your reply. I'm still somehow looking at this the wrong
> way and I'd really appreciate a little more help...
>
> Focusing again on the the last example where TEXT LINE 3 is not
> echoed... I'm thinking that, even though the first pass was successful
> (I provided the correct current password), wasn't the second pass
> unsuccessful? (I intentionally provided an inadequate new password.) If
> it were considered a success, wouldn't it write something to /etc/shadow?
>
> Ah! Okay, so maybe it finally clicked... the first pass determines if a
> correct current UNIX password was provided, and that dictates the
> pass/fail status of the statement. If pass, then continue processing
> within the pam_unix module (where it determines if the new password
> meets the cracklib criteria. If so, write to shadow. If not, don't. In
> either case, stop.) I definitely didn't get that from the documentation.
>
> So, did I get that right? If so, then I have a related question which I
> will post separately under a new subject.
> Thank you so much!
1. The pam_echo does not echo anything in the second pass - that's the
way it is implemented.
2. Even if it did, the PAM library caches the order of the modules
processed in the first pass and it will follow the same order in the
secnod pass. So if in the first pass the pam_echo was skipped, it will
be skipped in the second pass as well regardless of the return values of
the modules in the second pass.
Tomas Mraz
More information about the Pam-list
mailing list