I've been working on a package for pam_passwdqc, a password strength checking
module, an I'm encountering a problem with module stacking. I'm wondering if
this has been encountered with other PAM modules and has a suffestion.
If I configure PAM like this:
password requisite /usr/pkg/lib/security/pam_passwdqc.so ask_oldauthtok
password required pam_unix.so no_warn use_first_pass debug
$ passwd
Changing password for john.
Enter current password:
You can now choose the new password or passphrase.
A valid password should be a mix of upper and lower case letters,
digits, and other characters. You can use a 9 character long
password with characters from at least 3 of these 4 classes, or
an 8 character long password containing characters from all the
classes. An upper case letter that begins the password and a
digit that ends it do not count towards the number of character
classes used.
A passphrase should be of at least 3 words, 12 to 40 characters
long and contain enough different characters.
Alternatively, if noone else can see your terminal now, you can
pick this as your password: "piston worthy rune sheer hair".
Enter new password:
Re-type new password:
Unable to change auth token: authentication error
and the following is logged:
passwd: in _openpam_check_error_code(): pam_sm_chauthtok(): unexpected return
value 9
If I change from use_first_pass try_first_pass it works, but, password must be
entered for each PAM module.