HPE Community
Operating System - HP-UX
1825720 Members
3399 Online
109686 Solutions
New Discussion

Re: Problem with pam_chauthtok

 
Robert Currey
Occasional Contributor

‎03-21-2007 07:25 AM

‎03-21-2007 07:25 AM

Problem with pam_chauthtok

One of our customers is using pam_ldap (hp11i non-trusted) and has some password policies in effect.

we called
int result = pam_acct_mgmt(m_pam_h, PAM_DISALLOW_NULL_AUTHTOK);
and got the PAM_NEW_AUTHTOK_REQD

We then call pam_chauthtok(m_pam_h, PAM_CHANGE_EXPIRED_AUTHTOK);

and our log then gathers the following ...
(master) [21 Mar 18:32:18]: leader[7]: pam-login:PamConversationHandler num_msg=1
(master) [21 Mar 18:32:18]: leader[7]: pam-login:PamConversationHandler msg[0]: Old password: (prompt w/o echo)
(master) [21 Mar 18:32:23]: leader[7]: pam-login:PamConversationHandler response=install10
(master) [21 Mar 18:32:23]: leader[7]: pam-login:PamConversationHandler num_msg=1
(master) [21 Mar 18:32:23]: leader[7]: pam-login:PamConversationHandler msg[0]: New password: (prompt w/o echo)
(master) [21 Mar 18:32:24]: leader[7]: pam-login:PamConversationHandler response=aa
(master) [21 Mar 18:32:24]: leader[7]: pam-login:PamConversationHandler num_msg=1
(master) [21 Mar 18:32:24]: leader[7]: pam-login:PamConversationHandler msg[0]: Re-enter new password: (prompt w/o echo)
(master) [21 Mar 18:32:26]: leader[7]: pam-login:PamConversationHandler response=aa
(master) [21 Mar 18:32:26]: leader[7]: pam-login:PamConversationHandler num_msg=1
(master) [21 Mar 18:32:26]: leader[7]: pam-login:PamConversationHandler msg[0]: Failed password policy checking
(master) [21 Mar 18:32:26]: leader[6]: pam-login: pam_chauthtok returned 0

So ... the pam module sent the "Failed password policy checking" string for us to display, but then pam_chauthtok return PAM_SUCCESS (so as far as the caller of the API is concerned the AUTHTOK was successfully changed and updated).

Seems pretty clear to me that pam_chauthtok() is returning an invalid result (probably as a result of a module having a pam_sm_chauthtok bug()?)

I'll try to gather some additional info if needed:
which pam_ldap package version
which LDAP backend
how the password policies are specified
etc

Let me know what other info I can gather if needed.

Thanks

Rob
I can tell you where to go today ...
0 Kudos
Reply
1 REPLY 1
Robert Currey
Occasional Contributor

‎03-21-2007 07:30 AM

‎03-21-2007 07:30 AM

Re: Problem with pam_chauthtok

BTW,

I did find
http://forums1.itrc.hp.com/service/forums/questionanswer.do?threadId=1078256

which seems to be a similar type of report ...

Rob
I can tell you where to go today ...
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.