On 24.3.2015 20:27, Big Bacala wrote:
Thank you for your reply. I'm still somehow looking at this the wrong way and I'd really appreciate a little more help... Focusing again on the the last example where TEXT LINE 3 is not echoed... I'm thinking that, even though the first pass was successful (I provided the correct current password), wasn't the second pass unsuccessful? (I intentionally provided an inadequate new password.) If it were considered a success, wouldn't it write something to /etc/shadow? Ah! Okay, so maybe it finally clicked... the first pass determines if a correct current UNIX password was provided, and that dictates the pass/fail status of the statement. If pass, then continue processing within the pam_unix module (where it determines if the new password meets the cracklib criteria. If so, write to shadow. If not, don't. In either case, stop.) I definitely didn't get that from the documentation. So, did I get that right? If so, then I have a related question which I will post separately under a new subject. Thank you so much!
1. The pam_echo does not echo anything in the second pass - that's the way it is implemented.
2. Even if it did, the PAM library caches the order of the modules processed in the first pass and it will follow the same order in the secnod pass. So if in the first pass the pam_echo was skipped, it will be skipped in the second pass as well regardless of the return values of the modules in the second pass.
Tomas Mraz _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list