On 24.3.2015 12:48, Big Bacala wrote:
Greetings. I am trying to understand the subtleties of PAM on a RHEL6 box, and hope I can gain better insight from more experienced list members. I've been examining the official documentation and been experimenting quite a bit, but to no avail. Thank you in advance for any insight you may provide... Starting with a very straightforward PAM password stack: password requisite pam_cracklib.so minlen=8 password sufficient pam_unix.so sha512 shadowuse_authtok password required pam_deny.so Simple enough. I believe I understand what happens. Now, insert echo's between each line of the above to trace how things work: password optional pam_echo.so TEST LINE 1 password requisite pam_cracklib.so minlen=8 password optional pam_echo.so TEST LINE 2 password sufficient pam_unix.so sha512 shadowuse_authtok password optional pam_echo.so TEST LINE 3 password required pam_deny.so and give it a run... [username@box}$ passwd Changing password for user username TEST LINE 1 TEST LINE 2 Changing password for username (current) UNIX password: <<use incorrect password here to cause failure>> TEST LINE 3 passwd: Authentication token manipulation error I still believe I understand what's happening. So far, so good. Now, I use the correct (current) password, but fail to enter an acceptable new password (eg, <8 characters). TEST LINE 3 does NOT echo to the screen in this case, even though the pam_unix line fails. I expected it would. What am I missing? [username@box}$ passwd Changing password for user username TEST LINE 1 TEST LINE 2 Changing password for username (current) UNIX password: <<enter correct password here>> New password: <<enter very short password to make fail>> BAD PASSWORD: it is WAY too short Password: <<repeat bad password to make it fail>> passwd: Authentication token manipulation error
You have to understand that there are two passes through the password modules during the password change. 1. prelim check - here the pam_echo messages are output and the old password checked 2. the actual change - here the new password is asked for and the change is done
The TEST LINE 3 is not echoed in your second case because the pam_unix.so is sufficient and because during the prelim check it succeeded no module after the pam_unix will be processed.
Tomas Mraz _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list