Package: libpam-runtime Version: 1.1.1-3 When installing a pam module with priority higher than unix (for example libpam-sss), the generate password rule for pam do not work. This is the pam configuration in question:
password sufficient pam_sss.so password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 password requisite pam_deny.so password required pam_permit.so The problem is the use_authtok argument to pam_unix.so, which forces the unix module to not ask for a password even if it is missing, in concert with the fact that some pam modules do not ask for passwords if the user in question is unknown. I ran into this problem when I was unable to change the password on the local root user after configuring libpam-sss version 1.2.0-1. I believe the same is the case for Kerberos pam modules. Should the use_authtok argument be removed from /usr/share/pam-config/unix? Happy hacking, -- Petter Reinholdtsen -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org