Q: Stacking in Solaris

[velociraptor]

I was wondering if anyone might be able to help
me with a problem I am having.

I compiled the pam_cracklib/cracklib for Solaris
packages off of SourceForge, and got them working
on both Solaris 8 & 9.

My pam.conf looks like so for the passwd command:

passwd  auth            required        /usr/lib/security/pam_passwd_auth.so.1
other  password        requisite       
/usr/lib/security/pam_authtok_get.so.1 debug
other  password        requisite     
/usr/lib/security/pam_cracklib.so use_authtok debug
other  password        required       
/usr/lib/security/pam_authtok_store.so.1 try_first_pass debug

I have also tried swapping pam_authtok_store.so.1 with 
the below library provided recently by Sun (an updated
pam_unix allowing passwords of greater than 8 characters).

other password                 required       
/usr/lib/security/pam_unix.so.1 try_first_pass

The problem I see with cracklib: if a password passes the
cracklib check (e.g. non-dictionary, non-gecos, etc.), it is
will be accepted by the OS even if it does not conform to 
the Solaris requirement that it have at least one non-alpha 
character.  E.g. sckurmep is accepted, when without 
cracklib in the PAM stack, it is rejected.

(If I do not include "try_first_pass" or "use_first_pass" as an
option to pam_authtok_store or pam_unix, the user is 
prompted twice for their old password and the new password.)

Any suggestions appreciated.

=Nadine=