[Pkg-shadow-devel] improvement of chfn/chsh manpages

Tomasz Kłoczko kloczek at zie.pg.gda.pl
Mon Oct 3 18:04:44 UTC 2005 

On Sun, 2 Oct 2005, Alexander Gattin wrote:

> Hi, Tomasz!
> 
> I have fixed a typo in chsh.1.xml
> and added chsh(1) to SEE ALSO section of chfn.1.xml
> (diff attached).

Commited.
Thank You.
 
> Also I have a question -- how do you have chfn/chsh
> operating in PLD for ordinary users -- do they ask for
> users' password or not?

Yes, ask user for password.

/etc/pam.d/{chfn,chsh,chpasswd} from my system (where I'm using NIS):

# cat chsh chfn chpasswd
#%PAM-1.0
auth            required        pam_listfile.so item=user sense=allow file=/etc/security/chsh.allow onerr=fail
auth            sufficient      pam_rootok.so
auth            required        pam_unix.so
account         required        pam_unix.so
password        required        pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password        required        pam_unix.so md5 shadow use_authtok
password        required        pam_make.so /var/db
password        required        pam_make.so /var/yp
session         required        pam_unix.so

#%PAM-1.0
auth            required        pam_listfile.so item=user sense=allow file=/etc/security/chfn.allow onerr=fail
auth            sufficient      pam_rootok.so
auth            required        pam_unix.so
account         required        pam_unix.so
password        required        pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password        required        pam_unix.so md5 shadow use_authtok
password        required        pam_make.so /var/db
password        required        pam_make.so /var/yp
session         required        pam_unix.so

#%PAM-1.0
auth            sufficient      pam_rootok.so
auth            required        pam_unix.so
account         required        pam_permit.so
password        required        pam_make.so /var/db
password        required        pam_make.so /var/yp

It works as expected on PAM 0.77. I'm just check shadow 4.0.13 on Fedora
where is pam 0.80 and (strange) it work as you report.

> In Debian, chsh and chfn of 4.0.3 used to _ask_
> ordinary users for password:
> > ramazan at cherokee:~/shadow/svn/pkg-shadow/trunk$ chsh -s /bin/zsh
> > Password: 
> with new code they won't.
> 
> We should decide whether to keep old behavior for
> Debian's passwd by patching or maybe perform
> pam-ification on chfn/chsh?

PAMify this programs allow use this tools not only on "files" NSS type 
database without touching shadow code. So it must work as expected. 
Qustion is: why on freshen PAM it does not work as is expected (?) :>

kloczek
-- 
-----------------------------------------------------------
*Ludzie nie mają problemów, tylko sobie sami je stwarzają*
-----------------------------------------------------------
Tomasz Kłoczko, sys adm @zie.pg.gda.pl|*e-mail: kloczek at rudy.mif.pg.gda.pl*

More information about the Pkg-shadow-devel mailing list