Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 3 Jul 2006 04:38:07 +0400
From: Solar Designer <>
Subject: Re: tcb and friends with shadow-utils 4.0.12

On Sun, Jul 02, 2006 at 10:11:37AM -0600, Vincent Danen wrote:
> I suppose the passwd
> program would make sure the two entered passwords are identical and then
> hand that password off to pam_tcb).

That's not how things work.

The PAM conversation function provided by the passwd program receives
multiple echo-off input prompts from the PAM stack.  It does not know
which of those prompts are for the new password, nor does it care.  In
fact, for a text terminal interface, the passwd program may provide the
standard PAM conversation function from libpam_misc rather than bother
with its own implementation.

With the configuration you had posted, the two new password prompts
originate from pam_passwdqc.  If you remove pam_passwdqc from the stack
and also remove the use_authtok option from pam_tcb, then the prompts
will originate from pam_tcb.

As it relates to the segfault you're seeing, I think it'd be most
straightforward to debug it rather than proceed to theorize as to its
possible cause.

Alexander Peslyak <solar at>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598 - bringing security into open computing environments

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.