Possible bug in PAM pam-0.99.8.1 regarding password changing

[decoder <decoder own-hero net>]

Hello all,


I ran into problems when using the "requisite" keyword with password
changing modules. I reduced my problem to a very simple stack which only
involves 2 instances of pam_debug, to make it easier to understand:

password   requisite   pam_debug.so prechauthtok=success
chauthtok=authtok_err
password   sufficient  pam_debug.so prechauthtok=success chauthtok=success

This accurately describes the current situation I am having with two pam
modules (pam_krb5 and pam_smbpass). The first module is failing in the
change phase because the new password does not satisfy a given policy
(similar to cracklib policies). Nevertheless, the output for `passwd` as
a user is:

decoder myserver ~ $ passwd
prechauthtok=success
prechauthtok=success
chauthtok=authtok_err
chauthtok=success
passwd: Authentication token manipulation error


As you can see, the second chauthtok is still returning success here,
although it shouldn't even get called at all! (because of requisite).
This essentially causes my password databases to go out of sync because
PAM does not stop although it is told to stop on failure with the
requisite keyword.

System Information:

OS: Gentoo Linux
Installed PAM version: pam-0.99.8.1-r1 provided by Gentoo portage

If anyone could verify this behavior, and, if this is not a problem on
my side, tell me if this is supposed to happen or not, that would help
me a lot.


Best regards and thanks in advance,


Chris