Re: Proper use of pam_echo

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 24.3.2015 12:48, Big Bacala wrote:
Greetings.  I am trying to understand the subtleties of PAM on a RHEL6
box, and hope I can gain better insight from more experienced list
members.  I've been examining the official documentation and been
experimenting quite a bit, but to no avail.  Thank you in advance for
any insight you may provide...

Starting with a very straightforward PAM password stack:
   password   requisite    pam_cracklib.so minlen=8
   password   sufficient   pam_unix.so sha512 shadowuse_authtok

   password   required     pam_deny.so

Simple enough. I believe I understand what happens.

Now, insert echo's between each line of the above to trace how things work:
   password   optional     pam_echo.so  TEST LINE 1
   password   requisite    pam_cracklib.so minlen=8
   password   optional     pam_echo.so  TEST LINE 2
   password   sufficient   pam_unix.so sha512 shadowuse_authtok
   password   optional     pam_echo.so  TEST LINE 3
   password   required     pam_deny.so


and give it a run...
   [username@box}$ passwd
   Changing password for user username
   TEST LINE 1
   TEST LINE 2
   Changing password for username
   (current) UNIX password: <<use incorrect password here to cause failure>>
   TEST LINE 3
   passwd: Authentication token manipulation error
I still believe I understand what's happening. So far, so good.

Now, I use the correct (current) password, but fail to enter an
acceptable new password (eg, <8 characters).  TEST LINE 3 does NOT echo
to the screen in this case, even though the pam_unix line fails.  I
expected it would.  What am I missing?
   [username@box}$ passwd
   Changing password for user username
   TEST LINE 1
   TEST LINE 2
   Changing password for username
   (current) UNIX password: <<enter correct password here>>
   New password: <<enter very short password to make fail>>
   BAD PASSWORD: it is WAY too short
   Password: <<repeat bad password to make it fail>>
   passwd: Authentication token manipulation error

You have to understand that there are two passes through the password modules during the password change. 1. prelim check - here the pam_echo messages are output and the old password checked 2. the actual change - here the new password is asked for and the change is done

The TEST LINE 3 is not echoed in your second case because the pam_unix.so is sufficient and because during the prelim check it succeeded no module after the pam_unix will be processed.

Tomas Mraz

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list




[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux