Re: Proper use of pam_echo

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On 24.3.2015 20:27, Big Bacala wrote:
Thank you for your reply.  I'm still somehow looking at this the wrong
way and I'd really appreciate a little more help...

Focusing again on the the last example where TEXT LINE 3 is not
echoed...  I'm thinking that, even though the first pass was successful
(I provided the correct current password), wasn't the second pass
unsuccessful? (I intentionally provided an inadequate new password.)  If
it were considered a success, wouldn't it write something to /etc/shadow?

Ah! Okay, so maybe it finally clicked... the first pass determines if a
correct current UNIX password was provided, and that dictates the
pass/fail status of the statement.  If pass, then continue processing
within the pam_unix module (where it determines if the new password
meets the cracklib criteria. If so, write to shadow. If not, don't. In
either case, stop.)  I definitely didn't get that from the documentation.

So, did I get that right?  If so, then I have a related question which I
will post separately under a new subject.
Thank you so much!

1. The pam_echo does not echo anything in the second pass - that's the way it is implemented.

2. Even if it did, the PAM library caches the order of the modules processed in the first pass and it will follow the same order in the secnod pass. So if in the first pass the pam_echo was skipped, it will be skipped in the second pass as well regardless of the return values of the modules in the second pass.

Tomas Mraz

Pam-list mailing list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux