Not with that configuration. In fact, this is entirely internal to PAM,
and not a lot to do with passwd at all. pam_chauthtok calls the password
module first with PAM_PRELIM_CHECK set to find out whether it's allowed
to change the token, and then without that flag to actually change the
token.
I had a quick chat with Simon about this, and he suggested that this was
very likely a deliberate design decision in PAM. If you're changing the
password, then you want to make sure you're using the previous password
as the authentication token, rather than some other piece of
authentication. Thus use of the password component deliberately bypasses
the auth component.
I'm not sure exactly what you're really trying to do here, but you may
find some of the following arguments to pam_unix useful, depending on
the exact circumstances:
The argument use_first_pass is used to lock the choice of old and new
passwords to that dictated by the previously stacked password module. The
try_first_pass argument is used to avoid the user having to re-enter an old
password when pam_unix follows a module that possibly shared the user's old
password - if this old password is not correct the user will be prompted
for the correct one. The argument use_authtok is used to force this module
to set the new password to the one provided by the previously stacked
password module (this is used in an example of the stacking of the Cracklib
module documented above).
--
passwd ignores the pam auth section
https://launchpad.net/bugs/49603
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
