1 |
Hi there, |
2 |
|
3 |
I have managed to install mit-krb5 + ldap as a central |
4 |
authentication service, but I still have a problem. I'm using cracklib |
5 |
to control password changes using passwd, but if the checking made by |
6 |
cracklib fails, kerberos still asks for another password. Here is the |
7 |
output: |
8 |
|
9 |
aperez@bit aperez $ passwd |
10 |
Current Kerberos 5 password: <current password> |
11 |
New password: <enter> |
12 |
BAD PASSWORD: it's WAY too short |
13 |
New password: <enter> |
14 |
BAD PASSWORD: it's WAY too short |
15 |
New password: <enter> |
16 |
BAD PASSWORD: it's WAY too short |
17 |
New Kerberos 5 password: <new password> |
18 |
Retype new Kerberos 5 password: <new password> |
19 |
passwd: Authentication token manipulation error |
20 |
|
21 |
Although I get an error in the last line, the password does get |
22 |
changed. Here is my system-auth file: |
23 |
|
24 |
auth required /lib/security/pam_env.so |
25 |
auth sufficient /lib/security/pam_unix.so likeauth nullok |
26 |
auth sufficient /lib/security/pam_krb5.so use_first_pass |
27 |
auth required /lib/security/pam_deny.so |
28 |
|
29 |
|
30 |
|
31 |
account sufficient /lib/security/pam_unix.so |
32 |
account required /lib/security/pam_access.so |
33 |
account sufficient /lib/security/pam_krb5.so |
34 |
account required /lib/security/pam_access.so |
35 |
|
36 |
|
37 |
|
38 |
password required /lib/security/pam_cracklib.so retry=3 type= debug |
39 |
password sufficient /lib/security/pam_unix.so nullok md5 shadow |
40 |
use_authtok |
41 |
password sufficient /lib/security/pam_krb5.so use_authtok debug |
42 |
password required /lib/security/pam_deny.so |
43 |
|
44 |
|
45 |
|
46 |
session required /lib/security/pam_limits.so |
47 |
session required /lib/security/pam_unix.so |
48 |
session optional /lib/security/pam_krb5.so |
49 |
|
50 |
and the log output: |
51 |
|
52 |
Jun 22 17:55:40 bit passwd(pam_unix)[18465]: user "aperez" does not |
53 |
exist in /etc/passwd or NIS |
54 |
Jun 22 17:55:44 bit PAM-Cracklib[18465]: bad password: it's WAY too short |
55 |
Jun 22 17:55:45 bit PAM-Cracklib[18465]: bad password: it's WAY too short |
56 |
Jun 22 17:55:45 bit PAM-Cracklib[18465]: bad password: it's WAY too short |
57 |
Jun 22 17:55:51 bit passwd[18465]: pam_krb5: aperez's Kerberos 5 |
58 |
password has been changed |
59 |
|
60 |
This is working correctly for users in /etc/passwd and /etc/shadow. |
61 |
I've tried required and requisite in the cracklib line, with no success. |
62 |
Am I missing anything? |
63 |
|
64 |
Thanks in advance, regards |
65 |
Jose |