I am working on modifying the source code for the Pam module in CentOS 6.6. All I need to do is add an if statement to check the length of the password after the password has been changed. I made changes in the pam source file under modules/pam_unix/pam_unix_password.c (shown below). These changes run successfully when I change the password at the log in screen but if I run the command passwd from a terminal window my if statement does not run at all. Can you please help explain why making these changes work when changing the password at the login screen but not by changing the password using the passwd command in a terminal window?
My overall goal includes the following password requirements:
1. Minimum length of password is 8 characters. (This password will expire in 90 days.)
2. If password is 13 characters or greater, password will never expire.
NOTE: I already have a script that manages password expiration instead of using pam.
I have also tried modifying the /etc/pam.d/system-auth. I set the minimum required password to be 8 characters but I was unable to find a configuration that checks for password of 13 characters or more and outputs the information to a file. I then turned to modifying the pam source code in order to test if the user input a 13 character password and just output the information to a file.
Here is the link where I downloaded the source RPM
http://www.rpmfind.net//linux/RPM/ce....el6.i686.html
These are the changes I made inside Linux-PAM-1.1.1/modules/pam_unix/pam_unix_password.c
...
static int _pam_unix_approve_pass(pam_handle_t * pamh
,unsigned int ctrl
,const char *pass_old
,const char *pass_new)
{
const void *user;
const char *remark = NULL;
int retval = PAM_SUCCESS;
D(("&new=%p, &old=%p", pass_old, pass_new));
D(("new=[%s]", pass_new));
D(("old=[%s]", pass_old));
if (pass_new == NULL || (pass_old && !strcmp(pass_old, pass_new))) {
if (on(UNIX_DEBUG, ctrl)) {
pam_syslog(pamh, LOG_DEBUG, "bad authentication token");
}
_make_remark(pamh, ctrl, PAM_ERROR_MSG, pass_new == NULL ?
_("No password supplied") : _("Password unchanged"));
return PAM_AUTHTOK_ERR;
}
/*
* if one wanted to hardwire authentication token strength
* checking this would be the place - AGM
*/
retval = pam_get_item(pamh, PAM_USER, &user);
if (retval != PAM_SUCCESS) {
if (on(UNIX_DEBUG, ctrl)) {
pam_syslog(pamh, LOG_ERR, "Can not get username");
return PAM_AUTHTOK_ERR;
}
}
if (off(UNIX__IAMROOT, ctrl)) {
if (strlen(pass_new) < 6)
remark = _("You must choose a longer password");
D(("length check [%s]", remark));
*******************************************
**//added the 13 character password check**
**if(strlen(pass_new) >=13)**
**system("echo 13char > /tmp/Password_length.text");**
*******************************************
if (on(UNIX_REMEMBER_PASSWD, ctrl)) {
if ((retval = check_old_password(user, pass_new)) == PAM_AUTHTOK_ERR)
remark = _("Password has been already used. Choose another.");
if (retval == PAM_ABORT) {
pam_syslog(pamh, LOG_ERR, "can't open %s file to check old passwords",
OLD_PASSWORDS_FILE);
return retval;
}
}
}
...