Linux PAM stack strangeness with pam_cracklib/pam_pwcheck

[Marcin Krzysztof Porwit <mporwit centeris com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm running into some bizzarre behavior on SuSE and RedHat systems. I'm
trying to insert another module to do password strength checking, and if
that check fails, then the entire password change should fail. My config
looks as follows:

password        requisite       pam_lwipasspolicy.so debug
password        requisite       pam_pwcheck.so  nullok cracklib
password        required        pam_unix2.so    nullok use_authtok

Setting "requisite" on pam_lwipasspolicy should mean that if it fails,
then pam_cracklib or pam_pwcheck is not even supposed to be called,
since pam_lwipasspolicy returns PAM_AUTHTOK_ERR. Strangely, however,
pam_cracklib and pam_pwcheck both reprompt for the password. No amount
of tweaking has produced the expected behavior.

You can emulate this behavior by taking a RedHat system and putting
pam_cracklib in twice in a row, both times set to requisite. Same would
go for SuSE and pam_pwcheck.

Can anyone tell me why this is happening? BTW, if the prelim check of
pam_lwipasspolicy (and pam_cracklib) returns a failure, "requisite"
works as expected. It is only on the actual request that the error does
not appear to be honored.

- --
Marcin Krzysztof Porwit
mporwit centeris com

#include <stddisclaimer.h>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGOlFQ4OZU6cX5VBERAo5YAJwJ7QaVMY4iInshuuJqopYMN42peQCeJMwb
JxFer3wCP5Yv9nejK5ZvXEo=
=K2ej
-----END PGP SIGNATURE-----