--0__=09BBE695DFECE81E8f9e8a93df938690918c09BBE695DFECE81E Content-type: text/plain; charset=US-ASCII Thanks for the links. The tip about the not_set_pass argument sounds like what I was looking for, but unfortunately it did not fix the problem. With or without the option, pam_unix is preventing the passwords from being available to my module. Maybe this is a bug. I replaced pam_unix.so with pam_pwdb.so in my stack list, and that allowed my module to retrieve the passwords as expected, so I do not think the problem is in my module or configuration. I guess I will have to go to the source to try to figure out why pam_unix is clearing the password tokens. Maybe the module is doing something that requires it to be the last in line for password management. -Jonathan jkung@us.ibm.com Jenn Vesperman <jenn@anthill.echidna.id.au>@redhat.com on 07/30/2002 01:08: 03 PM Please respond to pam-list@redhat.com Sent by: pam-list-admin@redhat.com To: pam-list@redhat.com cc: Subject: Re: RedHat 7.2 pam_unix.so and PAM_AUTHTOK? On Wed, 2002-07-31 at 03:26, jkung@us.ibm.com wrote: > > Hi, > > >From what I have been able to observe on RedHat 7.2, the pam_unix.so > password module clears the PAM_AUTHTOK and PAM_OLDAUTHTOK > tokens so the next stacked password module can not call pam_get_item > for the data. Is there an argument that can be passed to the pam_unix.so > password module that will tell it to not clear the tokens? I want to write > a pam module that can be called after pam_unix.so, and I want to use > the passwords that were previously entered by the user. If I missed some > documentation or a previous thread on this, I apologize and would > appreciate a pointer to the info. Use the argument 'use_first_pass' for your module. eg: password required pam_unix.so <arguments> password required my_module use_first_pass <other arguments> try_first_pass should work too. See also: http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam-4.html#ss4.3 http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_modules-4.html Also check that this is NOT set: "The not_set_pass argument is used to inform the module that it is not to pay attention to/make available the old or new passwords from/to other (stacked) password modules." That's from http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam-6.html#ss6.26 Failing that, set debug and poke around in the source to see what it's doing wrong. Jenn V. -- "Do you ever wonder if there's a whole section of geek culture you miss out on by being a geek?" - Dancer. jenn@anthill.echidna.id.au http://anthill.echidna.id.au/~jenn/ _______________________________________________ Pam-list@redhat.com https://listman.redhat.com/mailman/listinfo/pam-list --0__=09BBE695DFECE81E8f9e8a93df938690918c09BBE695DFECE81E Content-type: text/html; charset=US-ASCII Content-Disposition: inline <html><body><br> <br> Thanks for the links. The tip about the not_set_pass argument sounds like what<br> I was looking for, but unfortunately it did not fix the problem. With or without the option,<br> pam_unix is preventing the passwords from being available to my module. Maybe<br> this is a bug.<br> <br> I replaced pam_unix.so with pam_pwdb.so in my stack list, and that allowed my<br> module to retrieve the passwords as expected, so I do not think the problem is<br> in my module or configuration. I guess I will have to go to the source to try to figure<br> out why pam_unix is clearing the password tokens. Maybe the module is<br> doing something that requires it to be the last in line for password management.<br> <br> -Jonathan<br> jkung@us.ibm.com<br> <br> <br> <p><font size="2" color="#800080">Please respond to pam-list@redhat.com </font> <p><font size="2" color="#800080">Sent by: pam-list-admin@redhat.com</font> <p><font size="2" color="#800080">To: </font><font size="2">pam-list@redhat.com</font><br> <font size="2" color="#800080">cc: </font><br> <font size="2" color="#800080">Subject: </font><font size="2">Re: RedHat 7.2 pam_unix.so and PAM_AUTHTOK?</font><br> <br> <br> <br> <tt>On Wed, 2002-07-31 at 03:26, jkung@us.ibm.com wrote:<br> ><br> > Hi,<br> ><br> > >From what I have been able to observe on RedHat 7.2, the pam_unix.so<br> > password module clears the PAM_AUTHTOK and PAM_OLDAUTHTOK<br> > tokens so the next stacked password module can not call pam_get_item<br> > for the data. Is there an argument that can be passed to the pam_unix.so<br> > password module that will tell it to not clear the tokens? I want to write<br> > a pam module that can be called after pam_unix.so, and I want to use<br> > the passwords that were previously entered by the user. If I missed some<br> > documentation or a previous thread on this, I apologize and would<br> > appreciate a pointer to the info.<br> </tt><br> <tt>Use the argument 'use_first_pass' for your module.<br> </tt><br> <tt>eg:<br> </tt><br> <tt>password required pam_unix.so <arguments><br> password required my_module use_first_pass <other arguments><br> </tt><br> <br> <tt>try_first_pass should work too.<br> </tt><br> <br> <tt>See also:<br> </tt><tt><a href="http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam-4.html#ss4.3";>http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam-4.html#ss4.3</a></tt><tt><br> </tt><tt><a href="http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_modules-4.html";>http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_modules-4.html</a></tt><tt><br> </tt><br> <br> <tt>Also check that this is NOT set:<br> </tt><br> <tt>"The not_set_pass argument is used to inform the module that it is not<br> to pay attention to/make available the old or new passwords from/to<br> other (stacked) password modules."<br> </tt><br> <tt>That's from<br> </tt><tt><a href="http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam-6.html#ss6.26";>http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam-6.html#ss6.26</a></tt><tt><br> </tt><br> <br> <tt>Failing that, set debug and poke around in the source to see what it's<br> doing wrong.<br> </tt><br> <br> <br> <br> <tt>Jenn V.<br> --</tt> <ul><tt>"Do you ever wonder if there's a whole section of geek culture<br> you miss out on by being a geek?" - Dancer.</tt><br> </ul> <tt>jenn@anthill.echidna.id.au </tt><tt><a href="http://anthill.echidna.id.au/~jenn/";>http://anthill.echidna.id.au/~jenn/</a></tt><tt><br> </tt><br> <br> <br> <br> <tt>_______________________________________________<br> <br> Pam-list@redhat.com<br> </tt><tt><a href="https://listman.redhat.com/mailman/listinfo/pam-list";>https://listman.redhat.com/mailman/listinfo/pam-list</a></tt><br> </body></html> --0__=09BBE695DFECE81E8f9e8a93df938690918c09BBE695DFECE81E--
