https://community.hpe.com/t5/operating-system-hp-ux/problem-with-pam-chauthtok/m-p/3966341#M757667 BTW,<BR /><BR />I did find<BR /><A href="http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=1078256" target="_blank">http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=1078256</A><BR /><BR />which seems to be a similar type of report ...<BR /><BR />Rob Wed, 21 Mar 2007 14:30:33 GMT Robert Currey 2007-03-21T14:30:33Z https://community.hpe.com/t5/operating-system-hp-ux/problem-with-pam-chauthtok/m-p/3966340#M757666 One of our customers is using pam_ldap (hp11i non-trusted) and has some password policies in effect.<BR /><BR />we called <BR /> int result = pam_acct_mgmt(m_pam_h, PAM_DISALLOW_NULL_AUTHTOK);<BR />and got the PAM_NEW_AUTHTOK_REQD<BR /><BR />We then call pam_chauthtok(m_pam_h, PAM_CHANGE_EXPIRED_AUTHTOK);<BR /><BR />and our log then gathers the following ...<BR />(master) [21 Mar 18:32:18]: leader[7]: pam-login:PamConversationHandler num_msg=1<BR />(master) [21 Mar 18:32:18]: leader[7]: pam-login:PamConversationHandler msg[0]: Old password: (prompt w/o echo)<BR />(master) [21 Mar 18:32:23]: leader[7]: pam-login:PamConversationHandler response=install10<BR />(master) [21 Mar 18:32:23]: leader[7]: pam-login:PamConversationHandler num_msg=1<BR />(master) [21 Mar 18:32:23]: leader[7]: pam-login:PamConversationHandler msg[0]: New password: (prompt w/o echo)<BR />(master) [21 Mar 18:32:24]: leader[7]: pam-login:PamConversationHandler response=aa<BR />(master) [21 Mar 18:32:24]: leader[7]: pam-login:PamConversationHandler num_msg=1<BR />(master) [21 Mar 18:32:24]: leader[7]: pam-login:PamConversationHandler msg[0]: Re-enter new password: (prompt w/o echo)<BR />(master) [21 Mar 18:32:26]: leader[7]: pam-login:PamConversationHandler response=aa<BR />(master) [21 Mar 18:32:26]: leader[7]: pam-login:PamConversationHandler num_msg=1<BR />(master) [21 Mar 18:32:26]: leader[7]: pam-login:PamConversationHandler msg[0]: Failed password policy checking<BR />(master) [21 Mar 18:32:26]: leader[6]: pam-login: pam_chauthtok returned 0<BR /><BR />So ... the pam module sent the "Failed password policy checking" string for us to display, but then pam_chauthtok return PAM_SUCCESS (so as far as the caller of the API is concerned the AUTHTOK was successfully changed and updated).<BR /><BR />Seems pretty clear to me that pam_chauthtok() is returning an invalid result (probably as a result of a module having a pam_sm_chauthtok bug()?)<BR /><BR />I'll try to gather some additional info if needed:<BR />which pam_ldap package version<BR />which LDAP backend<BR />how the password policies are specified<BR />etc<BR /><BR />Let me know what other info I can gather if needed.<BR /><BR />Thanks<BR /><BR />Rob<BR /> Wed, 21 Mar 2007 14:25:29 GMT https://community.hpe.com/t5/operating-system-hp-ux/problem-with-pam-chauthtok/m-p/3966340#M757666 Robert Currey 2007-03-21T14:25:29Z https://community.hpe.com/t5/operating-system-hp-ux/problem-with-pam-chauthtok/m-p/3966341#M757667 BTW,<BR /><BR />I did find<BR /><A href="http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=1078256" target="_blank">http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=1078256</A><BR /><BR />which seems to be a similar type of report ...<BR /><BR />Rob Wed, 21 Mar 2007 14:30:33 GMT https://community.hpe.com/t5/operating-system-hp-ux/problem-with-pam-chauthtok/m-p/3966341#M757667 Robert Currey 2007-03-21T14:30:33Z