Thank you for your reply. I'm still somehow looking at this the wrong way and I'd really appreciate a little more help...
Focusing again on the the last example where TEXT LINE 3 is not echoed... I'm thinking that, even though the first pass was successful (I provided the correct current password), wasn't the second pass unsuccessful? (I intentionally provided an inadequate new password.) If it were considered a success, wouldn't it write something to /etc/shadow? Ah! Okay, so maybe it finally clicked... the first pass determines if a correct current UNIX password was provided, and that dictates the pass/fail status of the statement. If pass, then continue processing within the pam_unix module (where it determines if the new password meets the cracklib criteria. If so, write to shadow. If not, don't. In either case, stop.) I definitely didn't get that from the documentation. So, did I get that right? If so, then I have a related question which I will post separately under a new subject. Thank you so much! > Date: Tue, 24 Mar 2015 13:02:45 +0100 > From: tmraz@xxxxxxxxxx > To: pam-list@xxxxxxxxxx > Subject: Re: Proper use of pam_echo > > On 24.3.2015 12:48, Big Bacala wrote: > > Greetings. I am trying to understand the subtleties of PAM on a RHEL6 > > box, and hope I can gain better insight from more experienced list > > members. I've been examining the official documentation and been > > experimenting quite a bit, but to no avail. Thank you in advance for > > any insight you may provide... > > > > Starting with a very straightforward PAM password stack: > > password requisite pam_cracklib.so minlen=8 > > password sufficient pam_unix.so sha512 shadow use_authtok > > password required pam_deny.so > > Simple enough. I believe I understand what happens. > > > > Now, insert echo's between each line of the above to trace how things work: > > password optional pam_echo.so TEST LINE 1 > > password requisite pam_cracklib.so minlen=8 > > password optional pam_echo.so TEST LINE 2 > > password sufficient pam_unix.so sha512 shadow use_authtok > > password optional pam_echo.so TEST LINE 3 > > password required pam_deny.so > > > > and give it a run... > > [username@box}$ passwd > > Changing password for user username > > TEST LINE 1 > > TEST LINE 2 > > Changing password for username > > (current) UNIX password: <<use incorrect password here to cause failure>> > > TEST LINE 3 > > passwd: Authentication token manipulation error > > I still believe I understand what's happening. So far, so good. > > > > Now, I use the correct (current) password, but fail to enter an > > acceptable new password (eg, <8 characters). TEST LINE 3 does NOT echo > > to the screen in this case, even though the pam_unix line fails. I > > expected it would. What am I missing? > > [username@box}$ passwd > > Changing password for user username > > TEST LINE 1 > > TEST LINE 2 > > Changing password for username > > (current) UNIX password: <<enter correct password here>> > > New password: <<enter very short password to make fail>> > > BAD PASSWORD: it is WAY too short > > Password: <<repeat bad password to make it fail>> > > passwd: Authentication token manipulation error > > You have to understand that there are two passes through the password > modules during the password change. > 1. prelim check - here the pam_echo messages are output and the old > password checked > 2. the actual change - here the new password is asked for and the change > is done > > The TEST LINE 3 is not echoed in your second case because the > pam_unix.so is sufficient and because during the prelim check it > succeeded no module after the pam_unix will be processed. > > Tomas Mraz > > _______________________________________________ > Pam-list mailing list > Pam-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/pam-list |
_______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list