--ZRyEpB+iJ+qUx0kp Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Aug 03, 2002 at 03:10:42PM -0700, Matt Piotrowski wrote: > I am writing a module that is stacked below pam_unix in order to have=20 > access to PAM_OLDAUTHTOK and PAM_AUTHTOK after a password change. =20 > Normally, this works great: a non-null PAM_AUTHTOK is passed down the=20 > stack only upon a successful password change. However, in certain=20 > situations, a non-null PAM_AUTHTOK is passed down the stack after a=20 > failed password change. For example, using a module which simply prints= =20 > out PAM_OLDAUTHTOK and PAM_AUTHTOK and is stacked below pam_unix, we can= =20 > see the following exchange: > [user@redhat72 user]$ passwd > Changing password for user > (current) UNIX password: [password] > stacked module: old authtok obtained for user user: password > stacked module: new authtok obtained for user user: (null) > Enter new UNIX password: [a] > Retype new UNIX password: [a] > You must choose a longer password > Enter new UNIX password: [a] > Retype new UNIX password: [a] > You must choose a longer password > Enter new UNIX password: [a] > Retype new UNIX password: [a] > You must choose a longer password > stacked module: old authtok obtained for user user: arrowhead > stacked module: new authtok obtained for user user: a > passwd: Authentication token manipulation error > So, here the stacked module thinks that the password has been=20 > successfully changed to "a", when it, in fact, has not. The stacked module thinks no such thing: the presence of PAM_AUTHTOK and PAM_OLDAUTHTOK only indicates that the user has /input/ these values, it says nothing at all about whether the password has been changed. Modules should not in fact presume to know anything at all about other modules in the stack. If what you are trying to achieve is preventing modules lower in the stack from changing the password when a module above it has failed, the correct solution is to use the 'requisite' tag on any modules that are mandatory. When libpam sees 'requisite' instead of 'required', stack processing stops immediately in the event of a module failure. Steve Langasek postmodern programmer --ZRyEpB+iJ+qUx0kp Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9TIIrKN6ufymYLloRAh+mAJ9IWX2YKvFfYLZFb7iigDFqv7efwwCdEc0f NStrmVAbgU+FQ7Glin1FxTc= =fP4F -----END PGP SIGNATURE----- --ZRyEpB+iJ+qUx0kp--