Re: Replacing passwd?

From: Wiktor Niesiobedzki <bsd_at_w.evip.pl>
Date: Sun, 21 Nov 2004 15:49:05 +0100
On Sat, Nov 20, 2004 at 08:07:45PM -0600, Dan Nelson wrote:
> > When did that come in? I can't get passwd(1) to change an ldap password, I get:
> > 
> > rasputnik_at_eris:rasputnik$ passwd
> > passwd: Sorry, `passwd' can only change passwords for local or NIS users.
> > rasputnik_at_eris:rasputnik$ uname -a
> > FreeBSD eris 5.3-STABLE FreeBSD 5.3-STABLE #4: Mon Oct 25 18:03:11 BST 2004     root_at_eris:/usr/obj/usr/src/sys/ERIS  i386
> > rasputnik_at_eris:rasputnik$ 
> > 
> >  - this is an nss_ldap nsswitched account, logged in over ssh (pam_ldap auth).
> 
> Weird.  There's definitely a lot of PAM code in passwd.c.  What happens
> if you comment out the errx() function that prints that error (line
> 124)?
> 
I was playing with it today and removing errx function allows passwd to change
the password, but the other problem I step on is:
How to properly configure /etc/pam.d/passwd

The configuration, which I have now is simply:
password        sufficient      /usr/local/lib/pam_ldap.so
password        sufficient      pam_unix.so             no_warn try_first_pass nullok


But it will give strange results, for example:
% ./passwd
Enter login(LDAP) password: <correct password>
New password: <short password>
Password too short
New password: <same short password>
Password too short
New password: <same short password>
Password too short
New Password: <same short password [1]>
Retype New Password: <same short password>

As we may see, after three failures to get the new password we switch to
pam_unix, which tries to change the user, which does not exists in
/etc/master.passwd.

Or:
% ./passwd
Changing 0 password
Enter login(LDAP) password: <wrong password>
LDAP Password incorrect: try again
Enter login(LDAP) password: <wrong password>
LDAP Password incorrect: try again 
Enter login(LDAP) password: <wrong password>
LDAP Password incorrect: try again
Old Password: <anything>
New Password: <new password>
Retype New Password: <the same string>

Which obviously does not result in any password change, as pam_unix tries to
change the password.


My goal is to have some local users, and some users coming from LDAP, and it
would be the best, when all could have change their password through passwd.

Does this behaviour of passwd shows the problem within pam_unix (as it does
not check, whether the user exists in master.passwd - only by _PWF_SOURCE)

Maybe there is a need, to implement is_user_of_this_auth_method or something
like that?


Cheers,

Wiktor Niesiobedzki
Received on Sun Nov 21 2004 - 13:49:17 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:22 UTC