You are running up against a small problem with the design (there is no way to rollback password changes). The way a module should support pam_chauthtok is described here: http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_modules-3.html#ss3.5 Note, libpam calls pam_sm_chauthtok twice. The update is supposed to happen the second time around. The first time, it simply checks that the updating serivce is available. On the second pass, for the Linux-PAM implementation, the new password is entered (strength checked with something like pam_cracklib or pam_passwdq) and then made available for later modules in the stack. To get what you want, I would investigate if you can coax a strength checking module into enforcing your requirements earlier in the pam_stack than the unix and krb modules. If you are using HP (Solaris derived) pam libraries/modules, then I'm not actually sure if the concept of a strength checking module is supported. Cheers Andrew Sridhar Bandi wrote: > > Hi , > > I have problem with password synchronization. > Consider the following scenario. > When administrator configures the password section of the > pam configuration file with two modules assume unix and > kerberos as follows > > passwd password required libpam_unix.so > passwd password required libpam_krb5.so > use_first_pass > > Assume a user whose password in both the mechanisms are in sync , > and there is no policy assoiciated with the user in Unix but in > Kerberos there is a policy (minimum length of the password > need to be 8 chars) associated with that user , Now the user > tries to change the password and he is asked for the "Old Password:" > and he enters old password and when "New Password :" is asked for > the user enters lets assume "secret" (length=6) , As unix is configured > first the user will get his password changed in unix , but when it > comes to Kerberos as there is a policy associated with the user which > has minimum length of the password as 8 chars , his password cannot > be changed. Now the passwords in the two databases(unix and Kerberos) > are not in sync. > > Here I have a problem , I want the users password always be in sync > which is getting violated in the above scenario. Is this a limitation > of PAM architecture or can we rollback the old password in Unix > if the chauthtok() fails in the Kerberos. > Please help me out in this . > > thanks in advance . > > regards > Bandi. > > _______________________________________________ > > Pam-list@redhat.com > https://listman.redhat.com/mailman/listinfo/pam-list
