Michael Prokop <m...@debian.org> writes: > Changing password (through chpasswd) is broken with libpam-krb5 3.15-1:
> # echo "root:foobar2009" | chpasswd > chpasswd: (user root) pam_chauthtok() failed, error: > Authentication token manipulation error > chpasswd: (line 1, user root) password not changed > | # here are the per-package modules (the "Primary" block) > | password requisite pam_krb5.so minimum_uid=1000 > | password [success=1 default=ignore] pam_unix.so obscure > use_authtok try_first_pass sha512 I think this is a deeper problem with how the modules are stacking and I'm not sure how to fix it. Copying Steve Langasek for his opinion. The problem here, so far as I can tell, is that since you're trying to change the password for an account that pam_krb5 declines (due to minimum_uid), it returns PAM_IGNORE with no further action. That means that specifically it does not prompt the user for either the old or the new password. However, pam_unix is configured with use_authtok, which means that it expects the password to already be present in the PAM data by the time it runs. Since pam_krb5 doesn't do this in the case where it's ignoring the user, pam_unix fails due to not having a new password already available. If you added another PAM module that did the password prompting, such as pam_cracklib, that sits in the stack in front of the other modules, the problem would disappear. I don't think pam_krb5 can the password prompting when it's going to ignore the password change since it should generally not prompt for the new password until it's authenticated the account, and for ignored accounts it has no way of doing that. However, pam_unix also can't use something other than use_authtok, since otherwise a user can bypass pam_cracklib earlier in the stack. I'm not really sure how to fix this. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
