On Thu, Apr 27, 2006 at 03:03:27PM -0400, Scott Gentry wrote: > While fooling around with cracklib and passwdqc I noticed that when > pam_get_item is called on to get PAM_OLDAUTHTOK that NULL is returned when I > run the passwd program as root. > > I belive that this is done because when the root user changes a password for > a user that you don't want root to be prompted for the old password. That's correct. > That does allow the root user to break some policy rules for passwdqc (ie > can use an old password or a similar password which is supposed to be > invalid). Yes. > Is this the desired functionality when passwd is called as root? It is not always desired, but no other approach is obviously better than that. A "solution" would be to store password histories. Unfortunately, such histories pose a security risk on their own. > Is there anyway to have the OLDAUTHTOK stored when the root user is running > the application? The question is where the OLDAUTHTOK would come from. It is supposed to be the _plaintext_ old password - but you don't want to be storing that anywhere on the system. So either root is forced to enter it - which is most certainly undesired and not always possible - or you don't have it. A partial workaround would be to attempt authentication with the new password prior to actually setting the password. If authentication succeeds, then the entered new password is the same as the old one - and it should be rejected. Unfortunately, pam_passwdqc itself can only be enhanced to do that for Unix passwords serviced by the NSS. This may be good enough for you, but it won't cover all possible setups. Alternatively, it's pam_unix (or its equivalents, such as our pam_tcb) which could be enhanced to perform the same-as-old-password check. Overall, this seems like quite some complexity for little gain - so it's probably not worth doing. -- Alexander Peslyak <solar at openwall.com> GPG key ID: B35D3598 fp: 6429 0D7E F130 C13E C929 6447 73C3 A290 B35D 3598 http://www.openwall.com - bringing security into open computing environments Was I helpful? Please give your feedback here: http://rate.affero.net/solar _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
