Re: Old Authtok when changing passwords

[Andrew Morgan <morgan transmeta com>]

Thorsten Kukuk wrote:
> > In the grand scheme of things, PAM was supposed to remove the need for
> > applications to know about passwords at all. Not allowing apps to
> > get/set them from PAM was a design decision - all this info was supposed
> > to be something that a module managed.
> 
> Yes, but the problem is, that the functions to change the password
> in a pam module can also not access the token from the authentication
> function.

This is a self-inflicted problem.

If the module used a PAM_AUTHTOK of some sort to authenticate the user,
then it (pam_sm_authenticate()) has the opportunity to cache this value
with pam_set_data(). In this way, it's pam_sm_chauthtok() function can
check for the existence of said data (pam_get_data()) when it is time
for the user to select a new one.

The problem then is that pam_unix doesn't support this. Hacking around
this in the application is pretty ugly. Why not simply add this
functionality to the pam_unix module? (And make it optional based on a
module argument or something.)

Cheers

Andrew