On Wed, Jun 26, 2002 at 04:09:20PM +1000, John Warburton wrote: Hi John, > I have installed pam_passwdqc 0.5 on my Solaris 2.8 box (latest recommended > patches, Netra T1, Ultra SPARC II). I am testing this with openssh-3.1p1 > (yes I am configuring the latest openssh), and am having issues with > accounts whose passwords have aged. (BTW, the changing of expired passwords via PAM is gone with OpenSSH 3.3p1, will hopefully be re-added in future versions.) > The config: > > /etc/pam.conf > login auth required /usr/lib/security/$ISA/pam_unix.so.1 > other auth required /usr/lib/security/$ISA/pam_unix.so.1 > login account requisite /usr/lib/security/$ISA/pam_roles.so.1 > login account required /usr/lib/security/$ISA/pam_projects.so.1 > login account required /usr/lib/security/$ISA/pam_unix.so.1 > other account requisite /usr/lib/security/$ISA/pam_roles.so.1 > other account required /usr/lib/security/$ISA/pam_projects.so.1 > other account required /usr/lib/security/$ISA/pam_unix.so.1 > other session required /usr/lib/security/$ISA/pam_unix.so.1 > other password required /usr/lib/security/$ISA/pam_passwdqc.so > ask_oldauthtok=update check_oldauthtok passphrase=0 max=8 enforce=users > other password required /usr/lib/security/$ISA/pam_unix.so.1 > use_first_pass > > The login attempt > > johnw@singer% ssh dawkins > ******************************************************************* > * * > * This service is for authorised ASIC users only. * > * UNAUTHORISED ACCESS STRICTLY PROHIBITED. * > * * > ******************************************************************* > johnw@dawkins's password: > Warning: Your password has expired, please change it now > > You can now choose the new password. > > A valid password should be a mix of upper and lower case letters, > digits and other characters. You can use an 8 character long > password with characters from at least 3 of these 4 classes, or > a 7 character long password containing characters from all the > classes. Characters that form a common pattern are discarded by > the check. > > Enter new password: > Re-type new password: Connection to dawkins closed by remote host. > Connection to dawkins closed. > > I cannot login with the changed password, but only with the old (which is > expired) Well, as you can see, pam_passwdqc hasn't asked for the old password despite you specifying ask_oldauthtok as required for stacking with Sun's pam_unix. This is because pam_passwdqc tries to be smart and not ask for the old password when it is running as root. pam_unix would probably do the same. But we see that it fails, and the syslog messages suggest that it does want to obtain the old password. Are you able to change passwords with such a setup (with pam_passwdqc), with passwd(1)? When running as the user? When running as root? >From the information you've provided, I suspect that the latter will fail in a similar way. Although it worked for me. If that is the case, I will be doing some more testing on Solaris 8 myself. If, however, this turns out to be OpenSSH specific, I will be doing the testing only after this stuff is introduced into OpenSSH again. It doesn't make sense to deal with 3.1p1 issues now. Thanks for the report! -- /sd
