tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: PAM Stacking



John R. Shannon wrote:
I've been working on a package for pam_passwdqc, a password strength checking module, an I'm encountering a problem with module stacking. I'm wondering if this has been encountered with other PAM modules and has a suffestion.

If I configure PAM like this:

password  requisite   /usr/pkg/lib/security/pam_passwdqc.so  ask_oldauthtok
password  required  pam_unix.so  no_warn use_first_pass debug

$ passwd
Changing password for john.
Enter current password:

You can now choose the new password or passphrase.
A valid password should be a mix of upper and lower case letters,
digits, and other characters.  You can use a 9 character long
password with characters from at least 3 of these 4 classes, or
an 8 character long password containing characters from all the
classes.  An upper case letter that begins the password and a
digit that ends it do not count towards the number of character
classes used.
A passphrase should be of at least 3 words, 12 to 40 characters
long and contain enough different characters.
Alternatively, if noone else can see your terminal now, you can
pick this as your password: "piston worthy rune sheer hair".
Enter new password:
Re-type new password:
Unable to change auth token: authentication error

and the following is logged:

passwd: in _openpam_check_error_code(): pam_sm_chauthtok(): unexpected return value 9

If I change from use_first_pass try_first_pass it works, but, password must be entered for each PAM module.


I neglected to mention that I'm testing on NetBSD 4.0 amd64 with:

$ cat /etc/passwd.conf
default:
  localcipher = blowfish,7
  ypcipher = blowfish,7

--
John R. Shannon
STAR Technologies, LLC
A DSCI Company
jshannon%dsci.com@localhost
john.r.shannon%us.army.mil@localhost
shannonjr%NetBSD.org@localhost



Home | Main Index | Thread Index | Old Index