PAM_AUTHENTICATE fails when password is empty.

Hi there,

I have a problem regarding PAM.
I wrote a function to change a user-password. That function checks the
current password by using "pam_authenticate" and it works very well so
far. But if a user has no password set and wants to do it now,
pam_authenticate fails and so my function fails. Pam_authenticate
seems to work only if the authenticating user has a password - but
why?
So I need an alternative to pam_authenticate or a possibility to
check, whether the password is NULL or not.

Thanks for your support!

Phil

Hi,

Are you writing it as an application? If yes, your problem might be on
/etc/pam.d/ config files. Some AUTH modules may not allow empty passwords.

Besides that, changing passwords should be a module's task.



> current password by using "pam_authenticate" and it works very well so

Hi,

I helped myself by checking out the passwd-file. But now I have the
problem that it only works if I am root, but not as a normal user. As
a normal user the chauthtok-function throws error 20 (auth. token
manipulation error). My pam.d/passwd-file is configured as "password
required pam_unix.so nullok min=4 max=8". The problem I had with empty
passwords was not to change it but to authenticate users with an empty
password (in order to verify the old password).
As i said, now the verifiacation works but I can only change the roots
passwords. Below you can see my programm. The conv-function seems to
work properly. It just replies the current and new password.
Do you have an idea to solve the problem, or can you give me some tips
how to realize it as a module, if that works better?

main(int argc, char **argv)
{
struct passwd *pw; /* to check if the password is empty */
int pamRV;
pam_handle_t *pPamH;
const char *pUserName;

if (argc != 4)
{
fprintf(stderr, "%s: Invalid command line parameters.\n",
argv[0]);
exit(-1);
}

pUserName = argv[1];
oldPassword = argv[2];
newPassword = argv[3];

pamRV = pam_start("passwd", pUserName, &conv, &pPamH);
if (pamRV != PAM_SUCCESS)
{
exit(pamRV);
}
pw = getpwnam(pUserName); /* passwd-entry for user logged in */
fprintf(stderr, "\n\nChanging password for %s\nUsers current
Password is: %s\n", pUserName, pw->pw_passwd);
pamRV = pam_authenticate(pPamH, 0);
fprintf(stderr,"pam_authenticate returned %d\n",pamRV);
if(*pw->pw_passwd=='\0')
{
fprintf(stderr, "Current password is empty. Changing
password.\n");
pamRV = pam_chauthtok(pPamH, 0);
fprintf(stderr, "return value: %d\n",pamRV);
}
else if(pamRV == PAM_SUCCESS)
{
fprintf(stderr, "Current Passwort checked. Changing password.\n");
pamRV = pam_chauthtok(pPamH, 0);
fprintf(stderr, "return value: %d\n",pamRV);
}
else
{
fprintf(stderr,"Validation of current password failed\n");
}
pam_end(pPamH, pamRV);
exit(pamRV);
}


Roberto Gallo <robertogallofilho@hotmail.com> wrote in message news:<pan.2004.12.01.14.20.54.515103@hotmail.com>. ..
> Hi,
>
> Are you writing it as an application? If yes, your problem might be on
> /etc/pam.d/ config files. Some AUTH modules may not allow empty passwords.
>
> Besides that, changing passwords should be a module's task.
>
>
>
> > current password by using "pam_authenticate" and it works very well so

Hi,

now I have solved the problem. It has to do with the different OS I
use. The Software is written and built on Gentoo but runs on a machine
which uses Debian. Until now I had no problems building the whole
stuff on my Gentoo system. But obvious PAM is different on the
ifferent systems and my PAM on Gentoo does not allow normal users to
change their authentication token.


Cheers,

Phil