RSS feed

pam password changing

[Date Prev][Date Next] [Thread Prev][Thread Next]

pam password changing

Hi all

I'm using the CentOS 7 setup I described in my previous post (nss-pam-ldapd
0.9.10 in CentOS7).
When the pwdReset flag is true, the user is correctly forced to update his
password. But the old password is required twice. One time in authentication
phase, and one more in the password phase, I suppose.

To be clear, below OLDPASSWORD has to be typed twice.

# ssh -l lux localhost
lux@localhost's password: OLDPASSWORD
Password must be changed
Last login: Mon Jan 14 11:51:18 2019 from localhost
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user lux.
(current) LDAP Password: OLDPASSWORD
New password: *******
Retype new password: *******

Looking at the code, in auth module pam_sm_authenticate() saves the password
in the context, ctx->oldpassword = strdup(passwd). In the comment I read
that the old password is saved exactly for use in case we have to change it.
But then in password module, in pam_sm_chauthtok() I find that
ctx->oldpassword is NULL. Is this by design, i.e. the context is not kept
between the various modules? Better, is there a way not to have to type the
old password twice, one time and immediately another time?

Thank you, best regards,

To unsubscribe send an email to or see