| View previous topic :: View next topic |
| Author |
Message |
JC Denton
Apprentice
Joined: 16 Apr 2003
Posts: 151
Location: USA
|
 Posted: Sun Apr 25, 2010 3:15 am Post subject: PAM passwd retries |
 |
|
Okay, so this is annoying me:
| Code: | Changing password for user.
(current) UNIX password:
New password:
Retype new password:
BAD PASSWORD: it is based on a dictionary word
BAD PASSWORD: it is based on a dictionary word
BAD PASSWORD: it is based on a dictionary word
passwd: Have exhausted maximum number of retries for service
passwd: password unchanged |
Yet on another system, a dictionary failure does not make `passwd' fail entirely:
| Code: | Changing password for user.
(current) UNIX password:
New UNIX password:
BAD PASSWORD: it is based on a dictionary word
New UNIX password:
Retype new UNIX password:
passwd: password updated successfully |
Both systems have the same /etc/pam.d/passwd:
| Code: | #%PAM-1.0
auth include system-auth
account include system-auth
password include system-auth |
... and the same /etc/pam.d/system-auth:
| Code: | auth required pam_env.so
auth [success=done ignore=ignore auth_err=die default=bad] pam_skey.so
auth required pam_unix.so try_first_pass likeauth nullok
account required pam_unix.so
password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password required pam_unix.so try_first_pass use_authtok nullok sha512 shadow
session required pam_limits.so
session required pam_env.so
session required pam_unix.so
session optional pam_permit.so |
It's not just dictionary failures. Any kind of pam_cracklib (module) failure "repeats" three times on the first system, never giving the user an opportunity to fix the problem.
Any PAM experts out there with a clue on why this is happening? I'm almost at wit's end trying to figure it out... |
|
| Back to top |
|
 |
gerdesj
l33t
Joined: 29 Sep 2005
Posts: 622
Location: Yeovil, Somerset, UK
|
| Posted: Tue Apr 27, 2010 1:25 am Post subject: Re: PAM passwd retries |
|
|
Have you compared the PAM versions?
Cheers
Jon |
|
| Back to top |
|
|
JC Denton
Apprentice
Joined: 16 Apr 2003
Posts: 151
Location: USA
|
| Posted: Tue Apr 27, 2010 9:43 pm Post subject: Re: PAM passwd retries |
|
|
| gerdesj wrote: | Have you compared the PAM versions?
Cheers
Jon |
Did an update on the behaving machine. Both now have:
| Code: | [I--] [ ] sys-apps/shadow-4.1.2.2 (0)
[I--] [ ] sys-auth/pambase-20100310 (0) |
And both are now experiencing the problem. Seems bug report worthy, no? |
|
| Back to top |
|
|
Rexilion
Veteran
Joined: 17 Mar 2009
Posts: 1044
|
| Posted: Thu Apr 29, 2010 9:16 am Post subject: |
|
|
No, it's not worth a bugreport I think it's intenional:
IUSE="debug cracklib passwdqc consolekit gnome-keyring selinux mktemp ssh +sha512"
The cracklib and passwdqc both refer to 'password strength checking'. Disabling those should get you further. However, you should really consider changing the password as the program recommends... |
|
| Back to top |
|
|
JC Denton
Apprentice
Joined: 16 Apr 2003
Posts: 151
Location: USA
|
| Posted: Thu Apr 29, 2010 1:22 pm Post subject: |
|
|
| Rexilion wrote: | No, it's not worth a bugreport I think it's intenional:
IUSE="debug cracklib passwdqc consolekit gnome-keyring selinux mktemp ssh +sha512"
The cracklib and passwdqc both refer to 'password strength checking'. Disabling those should get you further. However, you should really consider changing the password as the program recommends... |
I was referring to the fact that you can't retry after inputting a weak password. On the "broken" version, it just repeats the error three times and gives up. |
|
| Back to top |
|
|
|
Networking & Security
