> You should have stacked pam_passwdqc after pam_dhkeys, not before. > And there should be no need for "ask_oldauthtok=update > check_oldauthtok" on your recent/patched Solaris 8 (it's almost > Solaris 9 in fact). Thanks for the info, although changing the order there didn't fix the problem. When I took out the ask_oldauthtok=update check_oldauthtok, it went back to failing at the very end. When I put them back in, it works just like before, even with the order swapped. I don't think the ordering should matter in this case since pam_dhkeys is used for diffie-hellman keys and secure rpc, which we aren't using. I had tried both scenarios listed in PLATFORMS, and since I have patch 108993-33, I originally commented out pam_authtok_get and pam_authtok_check, but had to use the ask_oldauthtok=update check_oldauthtok options to get it to work, so it's sort of a kludge of both scenarios. We don't use pam_ldap, so I don't know what other modules to check. I also tried using either of ask_oldauthtok=update check_oldauthtok only, but that didn't work either. LDAP passwords update just fine when the user enters their current password twice, which makes me wonder if it has something to do with how pam_authtok_store gets the token from the preceding module? > Also, I'm not sure what you're trying to achieve with "match=0 > similar=deny"? (This is not related to the problem at hand, but > simply looks weird to me.) > I'm not sure what I was trying to go for here either now. I definitely wanted the similar=deny, but I don't know why I disabled the substring search. Thanks again for the help. Chris _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
