0

I am looking to reconfigure my pam.d to prompt for new password confirmation 3 times when using passwd to change password.

I have tried to duplicate the unix.so line in password-auth and system-auth like this

password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok

and like this

password    required    pam_unix.so shadow nullok try_first_pass
password    required    pam_unix.so shadow nullok try_first_pass
password    required    pam_unix.so shadow nullok try_first_pass

and many more variations of the above configuration in password-auth & system-auth files but these does not effect much changes as I expect, the confirmation still prompts twice but sometimes return an "error manipulation token" error.

Please what (what parameters) do I need to do to control how many times users will be prompted to confirm new password when using passwd Thanks.

juwonlona
  • 1
  • 1
  • I am afraid it is not possible, at least not with `pam_unix`. Please read [man 3 pam_get_authtok](https://man7.org/linux/man-pages/man3/pam_get_authtok.3.html) for clarification (yes, that's PAM API documentation; sometimes you even need to refer to [the source](https://github.com/linux-pam/linux-pam/blob/master/modules/pam_unix/pam_unix_passwd.c) when nothing helps). In short, PAM only supports one confirmation of the password token: this function asks for new passwords strictly twice. There is no configurable parameter to alter this behaviour. – Nikita Kipriyanov Dec 12 '22 at 18:32

0 Answers0