Hi I have installed pam_passwdqc 0.5 on my Solaris 2.8 box (latest recommended patches, Netra T1, Ultra SPARC II). I am testing this with openssh-3.1p1 (yes I am configuring the latest openssh), and am having issues with accounts whose passwords have aged. The config: /etc/pam.conf login auth required /usr/lib/security/$ISA/pam_unix.so.1 other auth required /usr/lib/security/$ISA/pam_unix.so.1 login account requisite /usr/lib/security/$ISA/pam_roles.so.1 login account required /usr/lib/security/$ISA/pam_projects.so.1 login account required /usr/lib/security/$ISA/pam_unix.so.1 other account requisite /usr/lib/security/$ISA/pam_roles.so.1 other account required /usr/lib/security/$ISA/pam_projects.so.1 other account required /usr/lib/security/$ISA/pam_unix.so.1 other session required /usr/lib/security/$ISA/pam_unix.so.1 other password required /usr/lib/security/$ISA/pam_passwdqc.so ask_oldauthtok=update check_oldauthtok passphrase=0 max=8 enforce=users other password required /usr/lib/security/$ISA/pam_unix.so.1 use_first_pass The login attempt johnw@singer% ssh dawkins ******************************************************************* * * * This service is for authorised ASIC users only. * * UNAUTHORISED ACCESS STRICTLY PROHIBITED. * * * ******************************************************************* johnw@dawkins's password: Warning: Your password has expired, please change it now You can now choose the new password. A valid password should be a mix of upper and lower case letters, digits and other characters. You can use an 8 character long password with characters from at least 3 of these 4 classes, or a 7 character long password containing characters from all the classes. Characters that form a common pattern are discarded by the check. Enter new password: Re-type new password: Connection to dawkins closed by remote host. Connection to dawkins closed. I cannot login with the changed password, but only with the old (which is expired) and the syslog entries: Jun 26 16:07:52 dawkins sshd[2753]: [ID 308033 auth.debug] pam_acct_mgmt: error Get new authentication token Jun 26 16:07:52 dawkins sshd[2753]: [ID 800047 auth.info] Accepted password for johnw from 10.10.10.100 port 38439 ssh2 Jun 26 16:07:58 dawkins sshd[2755]: [ID 125209 auth.debug] pam_chauthtok: error Authentication token manipulation error Jun 26 16:07:58 dawkins sshd[2755]: [ID 800047 auth.crit] fatal: PAM pam_chauthtok failed[20]: Authentication token manipulation error I see the error in pam_chauthtok, but have no idea how to debug further to get more information. Any pointers as to what I am doing wrong would be appreciated. Thanks John
