Re: password sync.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



You are running up against a small problem with the design (there is no
way to rollback password changes).

The way a module should support pam_chauthtok is described here:

http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_modules-3.html#ss3.5

Note, libpam calls pam_sm_chauthtok twice. The update is supposed to
happen the second time around. The first time, it simply checks that the
updating serivce is available.

On the second pass, for the Linux-PAM implementation, the new password
is entered (strength checked with something like pam_cracklib or
pam_passwdq) and then made available for later modules in the stack.

To get what you want, I would investigate if you can coax a strength
checking module into enforcing your requirements earlier in the
pam_stack than the unix and krb modules.

If you are using HP (Solaris derived) pam libraries/modules, then I'm
not actually sure if the concept of a strength checking module is
supported.

Cheers

Andrew

Sridhar Bandi wrote:
> 
> Hi  ,
> 
>      I have problem with password synchronization.
> Consider the following scenario.
>      When administrator configures the password section of the
>       pam configuration file with two modules assume unix and
>       kerberos as follows
> 
>      passwd       password      required     libpam_unix.so
>      passwd       password      required     libpam_krb5.so
> use_first_pass
> 
> Assume a user whose password in both the mechanisms are in sync ,
> and there is no policy assoiciated with the user in Unix but in
> Kerberos there is a policy (minimum length of the password
> need to be 8 chars)  associated with that user ,  Now the user
> tries to change the password and he is asked for the "Old Password:"
> and he enters old password and when "New Password :" is asked for
> the user enters lets assume "secret" (length=6) , As unix is configured
> first the user will get his password changed in unix , but when it
> comes to Kerberos as there is a policy associated with the user which
> has minimum length of the password as 8 chars , his password cannot
> be changed. Now the passwords in the two databases(unix and Kerberos)
> are not in sync.
> 
> Here I have a problem , I want the users password always be in sync
> which is getting violated in the above scenario. Is this a limitation
> of PAM architecture or can we rollback the old password in Unix
> if the chauthtok() fails in the Kerberos.
> Please help me out in this .
> 
> thanks  in advance .
> 
> regards
> Bandi.
> 
> _______________________________________________
> 
> Pam-list@redhat.com
> https://listman.redhat.com/mailman/listinfo/pam-list





[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux