Hello, the actual pam/shadow combination does strange things, i don't know if it is a new problem or what package introdused this behavior... The problem is that on password change, the password isn't asked for again if cracklib has any problem with the prior entered one... pam version: 1.1.0 shadow version: 4.1.4.1 cracklib version: 2.8.13 /etc/pam.d/passwd : password required pam_cracklib.so authtok_type=system difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 password required pam_unix.so md5 shadow use_authtok nullok # passwd Changing password for user. (current) UNIX password: New system password: Retype new system password: BAD PASSWORD: it is WAY too short BAD PASSWORD: it is WAY too short BAD PASSWORD: it is WAY too short passwd: Have exhausted maximum number of retries for service passwd: password unchanged hope someone could shed some light into this changed behaviour... Marc _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list