[Freeipa-devel] [PATCH] reuse authtok which is already in the pam stack
Simo Sorce
ssorce at redhat.com
Thu Apr 30 12:52:50 UTC 2009
On Thu, 2009-04-30 at 11:23 +0200, Sumit Bose wrote:
> Simo Sorce schrieb:
> > On Wed, 2009-04-29 at 23:23 +0200, Sumit Bose wrote:
> >> Sumit Bose schrieb:
> >>> Sumit Bose schrieb:
> >>>> Hi,
> >>>>
> >>>> this is a quick and dirty patch for the use_first_pass issue,
> >> please test.
> >>>> bye,
> >>>> Sumit
> >>>>
> >>> Hi,
> >>>
> >>> this new version adds the 'use_first_pass' option.
> >>>
> >> this new version fixes a problem when compiling with -DDEBUG
> >
> > ack and pushed.
> >
> > I also pusehd a patch that fixes indentation, it doesn't change any code
> > so I didn't put it on for review.
> >
> sorry, I just found out that pam_sss didn't play nice with
> pam_cracklib.so, because pam_cracklib.so only provides a new password
> and not the old one.
>
> If you want to change the password for a user from the LOCAL domain a
> workaround is either to disable pam_cracklib.so in system-auth, or to
> ignore the first three requests to enter a new password and then enter
> old and new password.
Ok, not a big deal really, let's just remove cracklib for now.
I think we should integrate cracklib functionality within pam_sss anyway
and use the machine policy to determine its parameters.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list