Steve Langasek wrote: > [] > > 1. Re-check the old password when doing the UPDATE, at least in the > > case when PAM_PRELIM_CHECK wasn't done. > > This should never happen. The module's pam_sm_chauthtok() function is called > twice by the PAM library, first with PAM_PRELIM_CHECK set, then with > PAM_UPDATE_AUTHTOK. I believe this is already well documented in the PAM > specs. Any implementation of libpam that doesn't call pam_sm_chauthtok() this > way is seriously broken. That's ok, but issue is not here. Issue is in stacking with other modules, and with some other (less-common) things. chauthtok() called twice, and this is not a question. But the real question is -- will it be called with UPDATE_AUTHTOK if it returned error when called with PRELIM_CHECK set earlier? This can happen if that module was declared "sufficient" while other module (that did authenticated user) as "required"/"sufficient". In the other hand, other modules can change authtok on its own (due to even admin mistake), so things will be more "interesting". Also (less-common) thing is a locking. It is bad idea to lock passwd database(s) during all passwd stack work (I said this earlier already). And so, after verifying current passwd, there is a chance to have it already updated (by someone else?! :) when we will try to update it at the end. So, this checking of old passwd compared to system's one _when updating it_ is useful here too.
