[gentoo-server] Cracklib/Kerberos/PAM problem - gentoo-server

From:	Jose Gonzalez Gomez <jgonzalez@×××××××××××.com>
To:	gentoo-server@l.g.o
Subject:	[gentoo-server] Cracklib/Kerberos/PAM problem
Date:	Wed, 23 Jun 2004 08:27:31
Message-Id:	`40D93EE8.4030706@opentechnet.com`

1

Hi there,

2

3

    I have managed to install mit-krb5 + ldap as a central 

4

authentication service, but I still have a problem. I'm using cracklib

5

to control password changes using passwd, but if the checking made by

6

cracklib fails, kerberos still asks for another password. Here is the

7

output:

8

9

aperez@bit aperez $ passwd

10

Current Kerberos 5 password: <current password>

11

New password: <enter>

12

BAD PASSWORD: it's WAY too short

13

New password: <enter>

14

BAD PASSWORD: it's WAY too short

15

New password: <enter>

16

BAD PASSWORD: it's WAY too short

17

New Kerberos 5 password: <new password>

18

Retype new Kerberos 5 password: <new password>

19

passwd: Authentication token manipulation error

20

21

    Although I get an error in the last line, the password does get

22

changed. Here is my system-auth file:

23

24

auth       required     /lib/security/pam_env.so

25

auth       sufficient   /lib/security/pam_unix.so likeauth nullok

26

auth       sufficient   /lib/security/pam_krb5.so use_first_pass

27

auth       required     /lib/security/pam_deny.so

account    sufficient   /lib/security/pam_unix.so

32

account    required     /lib/security/pam_access.so

33

account    sufficient   /lib/security/pam_krb5.so

34

account    required     /lib/security/pam_access.so

password   required     /lib/security/pam_cracklib.so retry=3 type= debug

39

password   sufficient   /lib/security/pam_unix.so nullok md5 shadow

40

use_authtok

41

password   sufficient   /lib/security/pam_krb5.so use_authtok debug

42

password   required     /lib/security/pam_deny.so

session    required     /lib/security/pam_limits.so

47

session    required     /lib/security/pam_unix.so

48

session    optional     /lib/security/pam_krb5.so

49

50

    and the log output:

51

52

Jun 22 17:55:40 bit passwd(pam_unix)[18465]: user "aperez" does not

53

exist in /etc/passwd or NIS

54

Jun 22 17:55:44 bit PAM-Cracklib[18465]: bad password: it's WAY too short

55

Jun 22 17:55:45 bit PAM-Cracklib[18465]: bad password: it's WAY too short

56

Jun 22 17:55:45 bit PAM-Cracklib[18465]: bad password: it's WAY too short

57

Jun 22 17:55:51 bit passwd[18465]: pam_krb5: aperez's Kerberos 5

58

password has been changed

59

60

    This is working correctly for users in /etc/passwd and /etc/shadow.

61

I've tried required and requisite in the cracklib line, with no success.

62

Am I missing anything?

63

64

    Thanks in advance, regards

65

    Jose

1	Hi there,
2
3	I have managed to install mit-krb5 + ldap as a central
4	authentication service, but I still have a problem. I'm using cracklib
5	to control password changes using passwd, but if the checking made by
6	cracklib fails, kerberos still asks for another password. Here is the
7	output:
8
9	aperez@bit aperez $ passwd
10	Current Kerberos 5 password: <current password>
11	New password: <enter>
12	BAD PASSWORD: it's WAY too short
13	New password: <enter>
14	BAD PASSWORD: it's WAY too short
15	New password: <enter>
16	BAD PASSWORD: it's WAY too short
17	New Kerberos 5 password: <new password>
18	Retype new Kerberos 5 password: <new password>
19	passwd: Authentication token manipulation error
20
21	Although I get an error in the last line, the password does get
22	changed. Here is my system-auth file:
23
24	auth required /lib/security/pam_env.so
25	auth sufficient /lib/security/pam_unix.so likeauth nullok
26	auth sufficient /lib/security/pam_krb5.so use_first_pass
27	auth required /lib/security/pam_deny.so
28
29
30
31	account sufficient /lib/security/pam_unix.so
32	account required /lib/security/pam_access.so
33	account sufficient /lib/security/pam_krb5.so
34	account required /lib/security/pam_access.so
35
36
37
38	password required /lib/security/pam_cracklib.so retry=3 type= debug
39	password sufficient /lib/security/pam_unix.so nullok md5 shadow
40	use_authtok
41	password sufficient /lib/security/pam_krb5.so use_authtok debug
42	password required /lib/security/pam_deny.so
43
44
45
46	session required /lib/security/pam_limits.so
47	session required /lib/security/pam_unix.so
48	session optional /lib/security/pam_krb5.so
49
50	and the log output:
51
52	Jun 22 17:55:40 bit passwd(pam_unix)[18465]: user "aperez" does not
53	exist in /etc/passwd or NIS
54	Jun 22 17:55:44 bit PAM-Cracklib[18465]: bad password: it's WAY too short
55	Jun 22 17:55:45 bit PAM-Cracklib[18465]: bad password: it's WAY too short
56	Jun 22 17:55:45 bit PAM-Cracklib[18465]: bad password: it's WAY too short
57	Jun 22 17:55:51 bit passwd[18465]: pam_krb5: aperez's Kerberos 5
58	password has been changed
59
60	This is working correctly for users in /etc/passwd and /etc/shadow.
61	I've tried required and requisite in the cracklib line, with no success.
62	Am I missing anything?
63
64	Thanks in advance, regards
65	Jose

Gentoo Archives: gentoo-server