Hello,
I have following the problem with pam_chauthtok from out of a GUI, with which
the user should change his password (under RHEL 3 in C++):
To change the password via pam_authtok works perfect including strength
check with pam_cracklib, history check with pam_unix and writing the opasswd.
But writing it works only once for each GUI process, i.e. only the first time,
that I change the password via one GUI.
When a open a new GUI, first password is changed again.
It seems, that pam_unix resp. pam_cracklib or whoever is responsible for
changing the user's password somehow "remembers" that this PID has already
successfully called pam_chauthtok or something like that?
What might be the problem here? Do I have to reset something somewhere
in pam?
Who exactly writes at which time the shadow and opasswd file according
to which signal?
Following is a short extract from my source code including the password changing:
=====================
unsigned32 PasswdAdmin::isAllowed(char *i1_oldpassword,
char *i2_newpassword,
char *i3_userName,
char **o1_msg)
{
pam_handle_t *pamh = NULL;
struct pam_conv conv;
conv.conv = PamConverse;
// uebergabewerte fuer conv-funktion
pass1 = i2_newpassword;
pass2 = i1_oldpassword;
int retval = pam_start ("check_password", i3_userName, &conv, &pamh);
if (retval == PAM_SUCCESS) {
retval = pam_authenticate (pamh, 0);
if (retval != PAM_SUCCESS) {
TRACE( "AUTHENTICATE returns "<< pam_strerror(pamh, retval) );
pam_end (pamh, retval);
return C_ERROR;
}
} else {
TRACE( "pam_start returns "<< pam_strerror(pamh, retval) );
pam_end (pamh, retval);
return GEN_C_ERROR;
}
if (retval == PAM_SUCCESS) {
retval = pam_chauthtok (pamh, 0);
if (retval != PAM_SUCCESS) {
TRACE( "CHAUTHTOK returns "<< pam_strerror(pamh, retval) );
pam_end (pamh, retval);
if(transfer_msg)
{ *o1_msg = transfer_msg; } //message aus conv-funktion
return C_ERROR;
}
} else{
TRACE( "pam_start returns "<< pam_strerror(pamh, retval) );
pam_end (pamh, retval);
return C_ERROR;
}
pam_end (pamh, retval);
return C_OK;
}
==========================
This is called from the GUI via callback. Only the first call leads to a changed passwd.
I see in the traces of the conversion function, that, when I call chauthtok first time,
it is first asked for the old password and then twice for the new password.
When I call it second time, it is asked only for the new password twice, although
I have a new pamh. It returns with PAM_SUCCESS but without having changed
the password :(
I would be very happy if someone had an idea about this problem.
regards
Doerte
_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
