I recall reading in some mailing list archive that in the password stack, pam_cracklib doesn't behave quite like normal modules. Unfortunately, I can't find the old message. The difference, as I recall, has something to do with the fact that pam_cracklib is "called" (correct term?) on a "second pass" of some sort, only after another module has asked for the existing password. This seems to be confirmed by my experimentation because pam_cracklib is at the top of my password stack, yet the other modules first prompt for existing password. In order to get everything to work as desired, I give my other password modules a use_authtok flag. Then, the sequence is (paraphrased, sorry it's not in front of me right now) as follows: enter current <some_module> password: // a module UNDER pam_cracklib enter UNIX password: // this is pam_cracklib re-enter UNIX password: // pam_cracklib again passwords updated successfully. // presumably, the first module updates here Without use_authtok flags, my other modules re-prompt after the pam_cracklib prompts. Is my understanding of what is happening correct? Can I get pam_cracklib to initially prompt for the existing password? What's the sequence of "passes" and when do authtoks get created/passed? Is there somewhere that I can read documentation so that I don't have to bother the list? -- Steve "Social engineering will get you what you want..." - Barcelona
