Why passwd command does not work with pam_unix_passwd.c module source code

Stephanie.CTR.Formica at faa.gov Stephanie.CTR.Formica at faa.gov
Wed Mar 25 13:04:54 UTC 2015 

I have a small challenge and would appreciate any guidance... I have been required to determine the length of a new password during a RHEL6 password change.

I have modified the PAM source code, by adding an "if" statement in /modules/pam_unix/pam_unix_password.c (shown below) to do this after the password has been changed.

This "if" statement works perfectly when the password is changed from the login screen.  BUT, if I run the "passwd" command from a terminal window, the statement does not appear to run at all. Can you please help me understand why?
...
static int _pam_unix_approve_pass(pam_handle_t * pamh
              ,unsigned int ctrl
              ,const char *pass_old
              ,const char *pass_new)
{
const void *user;
const char *remark = NULL;
int retval = PAM_SUCCESS;

D(("&new=%p, &old=%p", pass_old, pass_new));
D(("new=[%s]", pass_new));
D(("old=[%s]", pass_old));

if (pass_new == NULL || (pass_old && !strcmp(pass_old, pass_new))) {
    if (on(UNIX_DEBUG, ctrl)) {
        pam_syslog(pamh, LOG_DEBUG, "bad authentication token");
    }
    _make_remark(pamh, ctrl, PAM_ERROR_MSG, pass_new == NULL ?
        _("No password supplied") : _("Password unchanged"));
    return PAM_AUTHTOK_ERR;
}
/*
* if one wanted to hardwire authentication token strength
* checking this would be the place - AGM
*/

retval = pam_get_item(pamh, PAM_USER, &user);
if (retval != PAM_SUCCESS) {
    if (on(UNIX_DEBUG, ctrl)) {
        pam_syslog(pamh, LOG_ERR, "Can not get username");
        return PAM_AUTHTOK_ERR;
    }
}
if (off(UNIX__IAMROOT, ctrl)) {
    if (strlen(pass_new) < 6)
      remark = _("You must choose a longer password");
    D(("length check [%s]", remark));

    *******************************************
    **//added the 13 character password check**
    **if(strlen(pass_new) >=13)**
        **system("echo 13char > /tmp/Password_length.text");**
    *******************************************

    if (on(UNIX_REMEMBER_PASSWD, ctrl)) {
        if ((retval = check_old_password(user, pass_new)) == PAM_AUTHTOK_ERR)
          remark = _("Password has been already used. Choose another.");
        if (retval == PAM_ABORT) {
            pam_syslog(pamh, LOG_ERR, "can't open %s file to check old passwords",
                OLD_PASSWORDS_FILE);
            return retval;
        }
    }
}
...


Thank you,

Stephanie Formica
Enroute Computer Solutions
FDIO - Second Level Support
Phone: (609) 485-4077

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20150325/18d037c5/attachment.htm>

More information about the Pam-list mailing list