Peter Palfrader <[email protected]> writes:
> on etch I used the following as my common-password:
> | password required pam_cracklib.so retry=3
> minlen=10 difok=3 type=LDAP
> | password [success=1 default=ignore] pam_krb5.so use_authtok
> minimum_uid=1000 debug
> | password required pam_unix.so use_authtok
> nullok md5
> | password required pam_permit.so
> now that I upgraded to lenny this no longer works.
Hm. I think the problem is that use_authtok needs to mean different
things during the preliminary check than it does during the password
change itself. use_authtok generally means never under any circumstances
prompt for a password, and the problem that I fixed in the newer version
is that you could press Enter to the password prompt on pam_cracklib and
then pam_krb5 would have happily prompted you again and let you set a
password that bypassed strength checking. But I assume that pam_cracklib
isn't prompting for your *current* password during the preliminary check
phase.
Could you try this patch and see if it fixes the problem for you? It's a
bit of a hack and I may restructure it for the next release, but I think
it's the right basic idea.
--- a/password.c
+++ b/password.c
@@ -183,8 +183,23 @@ pamk5_password_change(struct pam_args *args, int only_auth)
int pamret = PAM_SUCCESS;
char *pass = NULL;
- /* Authenticate to the password changing service using the old password. */
+ /*
+ * Authenticate to the password changing service using the old password.
+ *
+ * We potentially need to change the use_authtok flag here if we're
+ * doing the preliminary check. For the password stack, use_authtok
+ * means to never prompt for the new password and always use what's in
+ * the stack already. But it doesn't mean to rely on the stack for the
+ * old password, and pam_cracklib doesn't prompt for the old password.
+ *
+ * Convert use_authtok to use_first_pass if we're doing the preliminary
+ * check.
+ */
if (ctx->creds == NULL) {
+ if (only_auth && args->use_authtok) {
+ args->use_authtok = 0;
+ args->use_first_pass = 1;
+ }
pamret = pamk5_password_auth(args, "kadmin/changepw", &ctx->creds);
if (pamret == PAM_SERVICE_ERR || pamret == PAM_AUTH_ERR)
pamret = PAM_AUTHTOK_RECOVER_ERR;
--
Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/>
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]