Glynn, I should have been more specific. RHEL chooses to use the existence of pam.d rather than pam.conf for configuration of the security modules. Within this directory, there is a text file, system-auth that has a structure as follows: auth required /lib/security/$ISA/pam_env.so more auths related requires, requisites, etc account required /lib/security/$ISA/pam-unix.so more account related requires, requisites, etc password requisite /lib/security/$ISA/pam-cracklib.so password sufficient /lib/security/$ISA/pam-unix.so nullok use_authtok md5 shadow password required /lib/security/$ISA/pam-eny.so session required /lib/security/$ISA/pam_limits.so more session related requires, requisites, etc Then, for the various services such as passwd, sshd, etc they use pam_stack.so as, in the case of paasswd; auth required pam_stack.so service=system-auth account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth to call the appropriate security module. As is turns out, pam_passwdqc must be the first module called in the password module stack to work properly. I originallyhad it under pam-cracklib.so and it didn't work. Moving it before the cracklib module corrected the problem. Kirkwood, David A. wrote: > For anyone interested, the solution seems to be that this module has to > Be the first module checked in the passwd authentication stack. Then it > seems to work, but I need to test further. Password "QC" modules (e.g. pam_cracklib) normally go in the "password" stack (used when setting/changing a password) rather than the "auth" stack (used for authentication). I have no experience with pam_passwdqc (I don't have it on my system), so I can't answer the original question. -- Glynn Clements <glynn@xxxxxxxxxxxxxxxxxx> - To unsubscribe from this list: send the line "unsubscribe linux-admin" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
