Not with that configuration. In fact, this is entirely internal to PAM, and not a lot to do with passwd at all. pam_chauthtok calls the password module first with PAM_PRELIM_CHECK set to find out whether it's allowed to change the token, and then without that flag to actually change the token.
I had a quick chat with Simon about this, and he suggested that this was very likely a deliberate design decision in PAM. If you're changing the password, then you want to make sure you're using the previous password as the authentication token, rather than some other piece of authentication. Thus use of the password component deliberately bypasses the auth component. I'm not sure exactly what you're really trying to do here, but you may find some of the following arguments to pam_unix useful, depending on the exact circumstances: The argument use_first_pass is used to lock the choice of old and new passwords to that dictated by the previously stacked password module. The try_first_pass argument is used to avoid the user having to re-enter an old password when pam_unix follows a module that possibly shared the user's old password - if this old password is not correct the user will be prompted for the correct one. The argument use_authtok is used to force this module to set the new password to the one provided by the previously stacked password module (this is used in an example of the stacking of the Cracklib module documented above). -- passwd ignores the pam auth section https://launchpad.net/bugs/49603 -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs