On Tue, Oct 16, 2001 at 09:52:31AM -0700, Andrew Morgan wrote: > The way a module should support pam_chauthtok is described here: > > http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_modules-3.html#ss3.5 > > Note, libpam calls pam_sm_chauthtok twice. The update is supposed to > happen the second time around. The first time, it simply checks that the > updating serivce is available. > > On the second pass, for the Linux-PAM implementation, the new password > is entered (strength checked with something like pam_cracklib or > pam_passwdq) and then made available for later modules in the stack. > > To get what you want, I would investigate if you can coax a strength > checking module into enforcing your requirements earlier in the > pam_stack than the unix and krb modules. > > If you are using HP (Solaris derived) pam libraries/modules, then I'm > not actually sure if the concept of a strength checking module is > supported. It doesn't seem to be, but this is only a module (pam_unix) issue. The Solaris PAM libraries invoke the two stack passes just fine for me. However, as I didn't want to force people to replace pam_unix on their Solaris boxes, recent development versions of pam_passwdqc add options which make it replace _some_ of pam_unix's functionality when desired. In particular, pam_passwdqc is now able to ask for and check the old password, and do so during the update phase. All of these may be configured separately and without having to re-compile the module. The relevant new pam_passwdqc options are -- --- ask_oldauthtok[=update] [] Ask for the old password as well. Normally, pam_passwdqc leaves this task for the password changing module. A simple "ask_oldauthtok" will cause pam_passwdqc to ask for the old password during the preliminary check phase. With "ask_oldauthtok=update", pam_passwdqc will do that during the update phase. check_oldauthtok [] This tells pam_passwdqc to validate the old password before giving a new password prompt. Normally, this task is left for the password changing module. --- The Solaris-specific installation instructions are -- --- pam_passwdqc has to ask for the old password during the update phase. Use "ask_oldauthtok=update check_oldauthtok" with pam_passwdqc and "use_first_pass" with pam_unix. You will likely also need to set "max=8" in order to actually enforce not-so-weak passwords with the obsolete "traditional" crypt(3) hashes that most Solaris systems use. Of course this way you only get about one third of the functionality of pam_passwdqc. --- The development version which builds without any warnings (gcc -Wall) on both Linux-PAM and Solaris is here -- ftp://ftp.openwall.com/pvt/pam_passwdqc-0.3.9.6.tar.gz For those reading this in the list archives, pam_passwdqc-0.4, when released, will be available at the usual place -- http://www.openwall.com/passwdqc/ Please test and provide your feedback (include all relevant version information, compiler warnings, and module options). It really helps. -- /sd
