Greetings. I am trying to understand the subtleties of PAM on a RHEL6 box, and hope I can gain better insight from more experienced list members. I've been examining the official documentation and been experimenting quite a bit, but to no avail. Thank you in advance for any insight you may provide...
Starting with a very straightforward PAM password stack: password requisite pam_cracklib.so minlen=8 password sufficient pam_unix.so sha512 shadow use_authtok password required pam_deny.so Simple enough. I believe I understand what happens.Now, insert echo's between each line of the above to trace how things work: password optional pam_echo.so TEST LINE 1 password requisite pam_cracklib.so minlen=8 password optional pam_echo.so TEST LINE 2 password optional pam_echo.so TEST LINE 3 password required pam_deny.so and give it a run... [username@box}$ passwd Changing password for user username TEST LINE 1 TEST LINE 2 Changing password for username (current) UNIX password: <<use incorrect password here to cause failure>> TEST LINE 3 passwd: Authentication token manipulation error I still believe I understand what's happening. So far, so good. Now, I use the correct (current) password, but fail to enter an acceptable new password (eg, <8 characters). TEST LINE 3 does NOT echo to the screen in this case, even though the pam_unix line fails. I expected it would. What am I missing? [username@box}$ passwd Changing password for user username TEST LINE 1 TEST LINE 2 Changing password for username (current) UNIX password: <<enter correct password here>> New password: <<enter very short password to make fail>> BAD PASSWORD: it is WAY too short Password: <<repeat bad password to make it fail>> passwd: Authentication token manipulation error Thank you. |
_______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list