PAM_OLDAUTHTOK

Solar Designer solar at openwall.com
Sun Apr 30 10:22:15 UTC 2006 

On Thu, Apr 27, 2006 at 03:03:27PM -0400, Scott Gentry wrote:
> While fooling around with cracklib and passwdqc I noticed that when
> pam_get_item is called on to get PAM_OLDAUTHTOK that NULL is returned when I
> run the passwd program as root.
> 
> I belive that this is done because when the root user changes a password for
> a user that you don't want root to be prompted for the old password.

That's correct.

> That does allow the root user to break some policy rules for passwdqc (ie
> can use an old password or a similar password which is supposed to be
> invalid).

Yes.

> Is this the desired functionality when passwd is called as root?

It is not always desired, but no other approach is obviously better than
that.  A "solution" would be to store password histories.  Unfortunately,
such histories pose a security risk on their own.

> Is there anyway to have the OLDAUTHTOK stored when the root user is running
> the application?

The question is where the OLDAUTHTOK would come from.  It is supposed to
be the _plaintext_ old password - but you don't want to be storing that
anywhere on the system.  So either root is forced to enter it - which is
most certainly undesired and not always possible - or you don't have it.

A partial workaround would be to attempt authentication with the new
password prior to actually setting the password.  If authentication
succeeds, then the entered new password is the same as the old one - and
it should be rejected.  Unfortunately, pam_passwdqc itself can only be
enhanced to do that for Unix passwords serviced by the NSS.  This may be
good enough for you, but it won't cover all possible setups.
Alternatively, it's pam_unix (or its equivalents, such as our pam_tcb)
which could be enhanced to perform the same-as-old-password check.
Overall, this seems like quite some complexity for little gain - so it's
probably not worth doing.

-- 
Alexander Peslyak <solar at openwall.com>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments

Was I helpful?  Please give your feedback here: http://rate.affero.net/solar

More information about the Pam-list mailing list