Problem with pam_chauthtok

Doerte Alex da_news at arcor.de
Tue Feb 20 09:00:38 UTC 2007 

Hello,

I have following the problem with pam_chauthtok from out of a GUI, with which
the user should change his password (under RHEL 3 in C++):

To change the password via pam_authtok works perfect including strength
check with pam_cracklib, history check with pam_unix and writing the opasswd.

But writing it works only once for each GUI process, i.e. only the first time,
that I change the password via one GUI.
When a open a new GUI, first password is changed again.

It seems, that pam_unix resp. pam_cracklib or whoever is responsible for
changing the user's password somehow "remembers" that this PID has already
successfully called pam_chauthtok or something like that?

What might be the problem here? Do I have to reset something somewhere
in pam?

Who exactly writes at which time the shadow and opasswd file according
to which signal?

Following is a short extract from my source code including the password changing:

=====================
unsigned32 PasswdAdmin::isAllowed(char *i1_oldpassword,
char *i2_newpassword,
char *i3_userName,
char **o1_msg)
{
pam_handle_t *pamh = NULL;
struct pam_conv conv;
conv.conv = PamConverse;

// uebergabewerte fuer conv-funktion
pass1 = i2_newpassword;
pass2 = i1_oldpassword;

int retval = pam_start ("check_password", i3_userName, &conv, &pamh);

if (retval == PAM_SUCCESS) {
retval = pam_authenticate (pamh, 0);
if (retval != PAM_SUCCESS) {
TRACE( "AUTHENTICATE returns "<< pam_strerror(pamh, retval) );
pam_end (pamh, retval);
return C_ERROR;
}
} else {
TRACE( "pam_start returns "<< pam_strerror(pamh, retval) );
pam_end (pamh, retval);
return GEN_C_ERROR;
}

if (retval == PAM_SUCCESS) {
retval = pam_chauthtok (pamh, 0);
if (retval != PAM_SUCCESS) {
TRACE( "CHAUTHTOK returns "<< pam_strerror(pamh, retval) );
pam_end (pamh, retval);
if(transfer_msg)
{ *o1_msg = transfer_msg; } //message aus conv-funktion

return C_ERROR;
}
} else{
TRACE( "pam_start returns "<< pam_strerror(pamh, retval) );
pam_end (pamh, retval);
return C_ERROR;
}
pam_end (pamh, retval);
return C_OK;
}

==========================

This is called from the GUI via callback. Only the first call leads to a changed passwd.

I see in the traces of the conversion function, that, when I call chauthtok first time,
it is first asked for the old password and then twice for the new password.
When I call it second time, it is asked only for the new password twice, although
I have a new pamh. It returns with PAM_SUCCESS but without having changed
the password :(

I would be very happy if someone had an idea about this problem.

regards
Doerte

More information about the Pam-list mailing list