Hi ,
Thank you all for helping me out of the problem.
So that seems like we cannot rollback the passwords in PAM .
Regards
bandi
Solar Designer wrote:
> On Tue, Oct 16, 2001 at 09:52:31AM -0700, Andrew Morgan wrote:
> > The way a module should support pam_chauthtok is described here:
> >
> > http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam_modules-3.html#ss3.5
> >
> > Note, libpam calls pam_sm_chauthtok twice. The update is supposed to
> > happen the second time around. The first time, it simply checks that the
> > updating serivce is available.
> >
> > On the second pass, for the Linux-PAM implementation, the new password
> > is entered (strength checked with something like pam_cracklib or
> > pam_passwdq) and then made available for later modules in the stack.
> >
> > To get what you want, I would investigate if you can coax a strength
> > checking module into enforcing your requirements earlier in the
> > pam_stack than the unix and krb modules.
> >
> > If you are using HP (Solaris derived) pam libraries/modules, then I'm
> > not actually sure if the concept of a strength checking module is
> > supported.
>
> It doesn't seem to be, but this is only a module (pam_unix) issue.
> The Solaris PAM libraries invoke the two stack passes just fine for
> me. However, as I didn't want to force people to replace pam_unix on
> their Solaris boxes, recent development versions of pam_passwdqc add
> options which make it replace _some_ of pam_unix's functionality when
> desired. In particular, pam_passwdqc is now able to ask for and check
> the old password, and do so during the update phase. All of these may
> be configured separately and without having to re-compile the module.
>
> The relevant new pam_passwdqc options are --
>
> ---
> ask_oldauthtok[=update] []
>
> Ask for the old password as well. Normally, pam_passwdqc leaves this
> task for the password changing module. A simple "ask_oldauthtok" will
> cause pam_passwdqc to ask for the old password during the preliminary
> check phase. With "ask_oldauthtok=update", pam_passwdqc will do that
> during the update phase.
>
> check_oldauthtok []
>
> This tells pam_passwdqc to validate the old password before giving a
> new password prompt. Normally, this task is left for the password
> changing module.
> ---
>
> The Solaris-specific installation instructions are --
>
> ---
> pam_passwdqc has to ask for the old password during the update phase.
> Use "ask_oldauthtok=update check_oldauthtok" with pam_passwdqc and
> "use_first_pass" with pam_unix.
>
> You will likely also need to set "max=8" in order to actually enforce
> not-so-weak passwords with the obsolete "traditional" crypt(3) hashes
> that most Solaris systems use. Of course this way you only get about
> one third of the functionality of pam_passwdqc.
> ---
>
> The development version which builds without any warnings (gcc -Wall)
> on both Linux-PAM and Solaris is here --
>
> ftp://ftp.openwall.com/pvt/pam_passwdqc-0.3.9.6.tar.gz
>
> For those reading this in the list archives, pam_passwdqc-0.4, when
> released, will be available at the usual place --
>
> http://www.openwall.com/passwdqc/
>
> Please test and provide your feedback (include all relevant version
> information, compiler warnings, and module options). It really helps.
>
> --
> /sd
>
> _______________________________________________
>
> Pam-list@redhat.com
> https://listman.redhat.com/mailman/listinfo/pam-list
