HPE Community
Operating System - HP-UX
1832541 Members
6334 Online
110043 Solutions
New Discussion

pam_passwdqc only works for root

 
SOLVED
Go to solution
Chris Gardner
Occasional Advisor

‎06-22-2007 04:31 AM

‎06-22-2007 04:31 AM

pam_passwdqc only works for root

Have installed pam_passwdqc from HP-UX Internet Express but it only seems to work for root. Can anyone help me getting it to work for regular users too?

The passwd part of 'pam.conf' is:

passwd password required pam_passwdqc.1 ask_oldauthtok max=8 min=disabled,6,6,6,6
passwd password required libpam_hpsec.so.1
passwd password required libpam_unix.so.1 use_first_pass

The only changes I have made to 'pam.conf' are to add the pam_passwdqc line and add 'use_first_pass' to libpam_unix, as per suggestion in passwdqc's readme.

The system is using the standard passwd file, not shadow nor trusted mode.
0 Kudos
Reply
5 REPLIES 5
natbasfras
New Member

‎06-24-2007 05:37 PM

‎06-24-2007 05:37 PM

Solution

Re: pam_passwdqc only works for root

Maybe you should add the option enforce=users, then only the password changing only enforced for nomral users. Maybe that is helping.
Reply
Chris Gardner
Occasional Advisor

‎06-24-2007 09:03 PM

‎06-24-2007 09:03 PM

Re: pam_passwdqc only works for root

I tried 'enforce=users' but it didn't help.

At the moment, if root runs 'passwd some_user' the password is checked and changed properly.

If a regular user logs in and runs 'passwd' to alter their own password, it fails every time and doesn't change the password. The output is:
Changing password for some_user
Sorry.

Regular users have to provide their old password before a new one - could it be that this is confusing pam_unix with the 'use_first_pass' option?

If you have a working passwdqc, could you post the relevent bits of your pam.conf and any other changes you needed to make?

Many thanks.
0 Kudos
Reply
natbasfras
New Member

‎06-24-2007 11:02 PM

‎06-24-2007 11:02 PM

Re: pam_passwdqc only works for root

This only works for normal Unix Users. The ldap aren't working with this:

OTHER password required /opt/iexpress/pampasswd/lib/pam_passwdqc.1 ask_oldauthtok=update check_oldauthtok min=disabled,8,8,8,8 max=24 passphrase=0 enforce=users
OTHER password required /usr/lib/security/libpam_unix.1 use_first_pass
OTHER password sufficient /usr/lib/security/libpam_ldap.1
Reply
natbasfras
New Member

‎06-24-2007 11:05 PM

‎06-24-2007 11:05 PM

Re: pam_passwdqc only works for root

And that normal user had provide the old password is because you have there ask_oldauthtok. In mine ist standing ask_oldauthtok=update check_oldauthtok this two option ask for the old password. Only root isn' asked then.
Reply
Chris Gardner
Occasional Advisor

‎06-25-2007 12:27 AM

‎06-25-2007 12:27 AM

Re: pam_passwdqc only works for root

Super! 'ask_oldauthtok=update' and 'check_oldauthtok' have done the job.

Passwd is now functioning properly for both root and regular users.

Your help is much appreciated.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.