0

I want to reject our standard password in pam for the services until the user change it. It is a fixed password, well known by our users, but I don't know how I can configure pam to refuse it. I check cracklib, but it works only on password change, not on auth. I can't use pam_succeed_if as it doesn't check the password.

Any idea how reject this password ?

Dom
  • 6,743
  • 1
  • 20
  • 24

2 Answers2

2

chage -d 0 username should do it. You might have to set a null initial password which probably isn't very secure but some trial and error testing should reveal if that's the case.

-edit-

In that case can you spawn a login script upon login using /etc/profile, /etc/bash.bashrc or similar to set that password first and then let them ageing policy force it to be changed ?

Jonathan Ross
  • 2,183
  • 11
  • 14
  • I can't define a null password. I see that I can reject all the connections by pam for null passwords, but I would like to do this with a defined (specific) password. – Dom Apr 04 '11 at 10:46
  • I can't start the login script (it is mail servers without interactive shell), pam is just use to test the password and allow the connection. – Dom Apr 04 '11 at 14:49
  • Tricky. Hopefully someone else can help. – Jonathan Ross Apr 04 '11 at 15:15
2

Consider pam_exec

poige
  • 9,448
  • 2
  • 25
  • 52
  • In last option, I will. But I would like to have quick login checks and no process cretaion if it is possible – Dom Apr 04 '11 at 14:49
  • Well, if you'd had thousands of log-ins every second this could really matter. In that interesting case I'd write my own PAM-module targeted for this task only. ;-) – poige Apr 04 '11 at 14:58
  • You are right, I can do that. If there is no easy way to do that – Dom Apr 04 '11 at 15:00