Peter Palfrader <[email protected]> writes:

> on etch I used the following as my common-password:

> | password        required                        pam_cracklib.so retry=3 
> minlen=10 difok=3 type=LDAP
> | password        [success=1 default=ignore]      pam_krb5.so use_authtok 
> minimum_uid=1000 debug
> | password        required                        pam_unix.so use_authtok 
> nullok md5
> | password        required                        pam_permit.so

> now that I upgraded to lenny this no longer works.

Hm.  I think the problem is that use_authtok needs to mean different
things during the preliminary check than it does during the password
change itself.  use_authtok generally means never under any circumstances
prompt for a password, and the problem that I fixed in the newer version
is that you could press Enter to the password prompt on pam_cracklib and
then pam_krb5 would have happily prompted you again and let you set a
password that bypassed strength checking.  But I assume that pam_cracklib
isn't prompting for your *current* password during the preliminary check
phase.

Could you try this patch and see if it fixes the problem for you?  It's a
bit of a hack and I may restructure it for the next release, but I think
it's the right basic idea.

--- a/password.c
+++ b/password.c
@@ -183,8 +183,23 @@ pamk5_password_change(struct pam_args *args, int only_auth)
     int pamret = PAM_SUCCESS;
     char *pass = NULL;
 
-    /* Authenticate to the password changing service using the old password. */
+    /*
+     * Authenticate to the password changing service using the old password.
+     *
+     * We potentially need to change the use_authtok flag here if we're
+     * doing the preliminary check.  For the password stack, use_authtok
+     * means to never prompt for the new password and always use what's in
+     * the stack already.  But it doesn't mean to rely on the stack for the
+     * old password, and pam_cracklib doesn't prompt for the old password.
+     *
+     * Convert use_authtok to use_first_pass if we're doing the preliminary
+     * check.
+     */
     if (ctx->creds == NULL) {
+        if (only_auth && args->use_authtok) {
+            args->use_authtok = 0;
+            args->use_first_pass = 1;
+        }
         pamret = pamk5_password_auth(args, "kadmin/changepw", &ctx->creds);
         if (pamret == PAM_SERVICE_ERR || pamret == PAM_AUTH_ERR)
             pamret = PAM_AUTHTOK_RECOVER_ERR;

-- 
Russ Allbery ([email protected])               <http://www.eyrie.org/~eagle/>




-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to