Re: Old Authtok when changing passwords

[Thorsten Kukuk <kukuk suse de>]

On Tue, Apr 16, Andrew Morgan wrote:

> Thorsten Kukuk wrote:
> > > In the grand scheme of things, PAM was supposed to remove the need for
> > > applications to know about passwords at all. Not allowing apps to
> > > get/set them from PAM was a design decision - all this info was supposed
> > > to be something that a module managed.
> > 
> > Yes, but the problem is, that the functions to change the password
> > in a pam module can also not access the token from the authentication
> > function.
> 
> This is a self-inflicted problem.
> 
> If the module used a PAM_AUTHTOK of some sort to authenticate the user,
> then it (pam_sm_authenticate()) has the opportunity to cache this value
> with pam_set_data(). In this way, it's pam_sm_chauthtok() function can
> check for the existence of said data (pam_get_data()) when it is time
> for the user to select a new one.
> 
> The problem then is that pam_unix doesn't support this. Hacking around
> this in the application is pretty ugly. Why not simply add this
> functionality to the pam_unix module? (And make it optional based on a
> module argument or something.)

I wish to add it to the pam module, not to the appciation. I only hate
to store passwords with pam_set_data() for security reasons and the
initial question was, if there is already something else.

But it seems I have to implement something with pam_set_data for
pam_unix2.

  Thorsten

-- 
Thorsten Kukuk       http://www.suse.de/~kukuk/        kukuk@suse.de
SuSE Linux AG        Deutschherrenstr. 15-19       D-90429 Nuernberg
--------------------------------------------------------------------    
Key fingerprint = A368 676B 5E1B 3E46 CFCE  2D97 F8FD 4E23 56C6 FB4B