Operating System - HP-UX

1826452 Members

3969 Online

109692 Solutions

pam policies and forced password change

Does anyone have any experiences of pam policies not working for forced password change?
The current pam.conf has the following for the login section of password management:
login session required /usr/lib/security/libpam_updbe.1
login password required /usr/lib/security/pam_passwdqc.so ask_oldauthtok
=update check_oldauthtok min=disabled,6,6,6,6 max=8 passphrase=0 enforce=users r
etry=3 random=0 match=3
login password required /usr/lib/security/libpam_unix.1 use_first_pass
passwd session required /usr/lib/security/libpam_updbe.1
passwd password required /usr/lib/security/pam_passwdqc.so ask_oldauthtok
=update check_oldauthtok min=disabled,6,6,6,6 max=8 passphrase=0 enforce=users r
etry=3 random=0 match=3
passwd password required /usr/lib/security/libpam_unix.1 use_first_pass

When password is forced at next login (-f) or password ageing kicks off, then the two stage process doesn't work and 'sorry' is returned.

If 'sufficient' is used instead of 'required' for pam_passwdqc.so so the 2nd stage is not started if succesfull then the password is not changed and login is left in a continual force password change loop. If this is left as required, and in the second stage, the use_first_pass is changed to try_first_pass then password login changes goes through the first stage (without changing the password!) and allows changing at the second stage: libpam_unix.1 try_first_pass.

If however the user has logged on and used passwd to self-change their password then the additional security works.

Has anyone got any experiences like this. Are there any outstanding issues with pam modules?

Thanks
Stephen

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

pam policies and forced password change

pam policies and forced password change