SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Forcing it (not the case through 14.2) then having to do that is not good enough (but up to 14.2 and FreeBSD w/PAM is.)
It seems it may be worth reading through your /etc/pam.d/system-auth.conf file. Your complaints seem to be easily changed by commenting out the first two password lines and uncommenting the third (make sure you leave the 4th uncommented).
Code:
# Default password quality checking with pam_pwquality. If you don't want
# password quality checking, comment out these two lines and uncomment the
# traditional password handling line below.
password requisite pam_pwquality.so minlen=6 retry=3
password sufficient pam_unix.so nullok sha512 shadow minlen=6 try_first_pass use_authtok
# Traditional password handling without pam_pwquality password checking.
# Commented out by default to use the two pam_pwquality lines above.
#password sufficient pam_unix.so nullok sha512 shadow minlen=6
Should be changed to:
Code:
# Default password quality checking with pam_pwquality. If you don't want
# password quality checking, comment out these two lines and uncomment the
# traditional password handling line below.
#password requisite pam_pwquality.so minlen=6 retry=3
#password sufficient pam_unix.so nullok sha512 shadow minlen=6 try_first_pass use_authtok
# Traditional password handling without pam_pwquality password checking.
# Commented out by default to use the two pam_pwquality lines above.
password sufficient pam_unix.so nullok sha512 shadow minlen=6
It seems it may be worth reading through your /etc/pam.d/system-auth.conf file. Your complaints seem to be easily changed by commenting out the first two password lines and uncommenting the third (make sure you leave the 4th uncommented).
Thank you, but for some reason, I don't have '/etc/pam.d/*.conf:' only 36 other files (without file-name extensions... and is an entire 36 classic Unix-style 'doing one thing and doing it well?!') there, including system-auth, which looks completely different. I even went to default pure/classic/original (text-only/non-X) console (tty0) terminal (text-only/non-X,) successfully did (in /var/log/packages/pam) 'removepkg pam' & 'slackpkg install pam,' 'slackpkg new-config'... there were no new configuration files (still no /etc/pam.d/*.conf.) I've been reinstalling Slackware-current & FreeBSD-current often almost a month (to hopefully share /home) but already needed to learn a couple years Slackware changes, now this century-historic change. Currrently after a couple broken installs w/PAM (already tried making all configuration optional... didn't help, so I reinstalled; another time I didn't do much/anything to PAM but it put adduser into an infinite error loop) I may not have zeroed (trim, blkdiscard) my Slackware operating system's (OS) solid state drive's (SSD) partition after previous broken install, and doesn't sometimes some data remain on EXT (EXT4) partitions even after a so-called 'format?' Maybe I just need to zero the SSD and start over so that configuration file will appear next time... or is this repairable at this point? Maybe somehow we're on different versions? I updated mine mere seconds ago (no changes to PAM; only overwrite SBo's dash; shell, which I'm almost sure is irrelevant here.)
That's fine if someone can research for hours/day/weeks to make Slackware-current strictly Unix-like that way, but when surviving classic Unix still has original default (passwords optional) the issue is whether by next Slackware-stable release someone should encounter that kludge unexpectedly.
I pasted your exact second example into the exact filename given... nothing changed.
Thank you, but for some reason, I don't have '/etc/pam.d/*.conf:' only 36 other files (without file-name extensions... and is an entire 36 classic Unix-style 'doing one thing and doing it well?!') there, including system-auth, which looks completely different. I even went to default pure/classic/original (text-only/non-X) console (tty0) terminal (text-only/non-X,) successfully did (in /var/log/packages/pam) 'removepkg pam' & 'slackpkg install pam,' 'slackpkg new-config'... there were no new configuration files (still no /etc/pam.d/*.conf) I've been reinstalling Slackware-current & FreeBSD-current often almost a month (to hopefully share /home) but already needed to learn a couple years Slackware changes, now this historic change. Currrently after a couple broken PAM installs (I already tried making all configuration optional... didn't help, so I reinstalled; another time I didn't do much/anything new for PAM but it put adduser into an infinite error loop.) I may not have zeroed (trim, blkdiscard) my Slackware operating system (OS) partition after a broken install, and doesn't sometimes some data remain on EXT (EXT4) partitions even after a 'format?' Maybe I just need to zero the SSD and start over so that configuration file will appear next time... or is this repairable at this point? Maybe somehow were on different 'current' versions? I updated mine mere seconds ago (no changes to PAM; only overwrite SBo's dash, which I'm almost sure is irrelevant here)
That's fine if someone can research for hours/day/weeks to make Slackware-current Unix-like that way, but when surviving classic Unix still has the original default (passwords optional) the issue is whether by next Slackware-stable release someone should encounter this unexpectedly.
Sorry, the file didn't end in .conf and I posted too quickly. Typically files in .d/ directories. I am not running -current, so I extracted the package to look through the files to help you out. They all ended in .new and I was thinking it was system-auth.conf.new, when it was just system-auth.new.
Just change those lines in /etc/pam.d/system-auth and you should be good.
Maybe it would've been better to open up a new post and ask how to do something rather than slam Pat for doing it this way. This is new software and it is going to take time to get used to.
The way Linux and UNIX work changes over time. Do you really think that no configuration files ever changed? That the login process never changed? When things change, you either need to embrace it and learn to use it as is or find out how to tweak it to restore previous behavior. Instead you decided to do either and instead complain on here without even asking how to restore the previous behavior.
Update: pasted your exact second example into the exact filename given... nothing changed; PAM still having its programmers automatically manage/restrict my system remotely like Apple/Microsoft/Google/etc. manage/restrict system administrators (sysadmins; ) Apple/Microsoft/Google/PAM/Debian/RedHat/etc. dismiss/disrespect original/older hacker culture.
If you're going to continue to complain, I'm outta here. Best of luck figuring it out!
Sorry, the file didn't end in .conf and I posted too quickly. Typically files in .d/ directories. I am not running -current, so I extracted the package to look through the files to help you out. They all ended in .new and I was thinking it was system-auth.conf.new, when it was just system-auth.new.
Just change those lines in /etc/pam.d/system-auth and you should be good.
Okay; now can't enter blank nor string password... infinite error loop: )
Code:
passwd: Authentication token manipulation error
that's passwd: password unchanged
- Warning: An error occured while setting the password for
this account. Please try again.
Quote:
Maybe it would've been better to open up a new post and ask how to do something rather than slam Pat for doing it this way. This is new software and it is going to take time to get used to.
Note/reread I haven't and am not 'slamming' him; other Slackware team members started/created PAM packages and have been updating to make more Unix-like (but not all may use this option themselves.) I simply didn't want to bother Mr. Volkerding (Patrick, Pat) with email. By posting in main topic thread in (quasi-)official forum, team becomes aware and hopefully those who started/created PAM packages can fix (maybe Pat wants to focus on other (bigger?) things.) It's not like Slackware-current is something secret. I'm merely reporting difficulties/bugs similar people can expect (many don't even use current yet but might try.)
If majority of older Unix hackers, such as my elderly/retired professors (or especially surviving original/founder/god hackers who taught them) claim 'you need to embrace [change ending classic Unix-style]' I might consider (but state my view/experience, maybe politely disagree or drop topic; ) other such opinions will be absolutely ignored.
I haven't read all your long posts.
I will just try to help you in configuring PAM for your purpose and also because I may have the same use case in the future. We're all learning how to deal with PAM in Slackware current and missteps may happen.
bassmadrigal tried to help you but will probably have difficulty going further because he's not using current.
Back to your issues. Can you post the content of /etc/pam.d/system-auth that causes the issues? The orders of instructions in the file is important. Also which command is failing: passwd, adduser?
[...] Can you post the content of /etc/pam.d/system-auth that causes the issues? The orders of instructions in the file is important. Also which command is failing: passwd, adduser?
I only did what bassmadrigal said (had to work on it; wrong combination of lines causes adduser infinite loops without getting to passwd) but now just passwd forces non-blank password. Of course, I can enter & erase; waste huge time in future.
Code:
#%PAM-1.0
#
# Most of these PAM modules have man pages included, like
# pam_unix(8) for example.
#
##################
# Authentication #
##################
#
auth required pam_env.so
auth optional pam_group.so
auth sufficient pam_unix.so likeauth nullok
auth required pam_deny.so
auth optional pam_gnome_keyring.so
##################
# Account checks #
##################
#
# Only root can login if file /etc/nologin exists.
# This is equivalent to NOLOGINS_FILE on login.defs
#
account required pam_nologin.so
#
# Enable restrictions by time, specified in /etc/security/time.conf
# This is equivalent to PORTTIME_CHECKS_ENAB on login.defs
#
account required pam_time.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 100 quiet
account required pam_permit.so
#############################
# Password quality checking #
#############################
#
# Please note that unless cracklib and libpwquality are installed, setting
# passwords will not work unless the lines for the pam_pwquality module are
# commented out and the line for the traditional no-quality-check password
# changing is uncommented.
#
# The pam_pwquality module will check the quality of a user-supplied password
# against the dictionary installed for cracklib. Other tests are (or may be)
# done as well - see: man pam_pwquality
#
# Default password quality checking with pam_pwquality. If you don't want
# password quality checking, comment out these two lines and uncomment the
# traditional password handling line below.
#password requisite pam_pwquality.so minlen=6 retry=3
#password sufficient pam_unix.so nullok sha512 shadow minlen=6 try_first_pass use_authtok
# Traditional password handling without pam_pwquality password checking.
# Commented out by default to use the two pam_pwquality lines above.
password sufficient pam_unix.so nullok sha512 shadow minlen=6
# ATTENTION: always keep this line for pam_deny.so:
password required pam_deny.so
#########################
# Session Configuration #
#########################
#
# This applies the limits specified in /etc/security/limits.conf
#
session required pam_limits.so
session required pam_unix.so
#session required pam_lastlog.so showfailed
#session optional pam_mail.so standard
session optional pam_gnome_keyring.so auto_start
it seems that XDG_SESSION_COOKIE is not set when using PAM ...
It is on mine (logging in via xdm) pam_ck_connector.so creates it when run without the nox11 option.
It also appears to mount a tmpfs for /var/run/user/$UID, but apparently fails to set XDG_RUNTIME_DIR to point to it.
I confirmed it by logging in with a failsafe session which doesn't use any xinitrc/xsession file other than /etc/X11/xdm/Xsession.
Last edited by GazL; 05-24-2020 at 05:26 AM.
Reason: typo
I only did what bassmadrigal said (had to work on it; wrong combination of lines causes adduser infinite loops without getting to passwd) but now just passwd forces non-blank password. Of course, I can enter & erase (unacceptable; ) waste huge time in future.
Code:
# Default password quality checking with pam_pwquality. If you don't want
# password quality checking, comment out these two lines and uncomment the
# traditional password handling line below.
#password requisite pam_pwquality.so minlen=6 retry=3
#password sufficient pam_unix.so nullok sha512 shadow minlen=6 try_first_pass use_authtok
# Traditional password handling without pam_pwquality password checking.
# Commented out by default to use the two pam_pwquality lines above.
#password sufficient pam_unix.so nullok sha512 shadow minlen=6
You didn't uncomment the above red line. Remove the # character at the beginning of this line and it should be better.
You didn't uncomment the above red line. Remove the # character at the beginning of this line and it should be better.
Oops; old version; updated. After I uncommented that, it stopped the infinite loop (as mentioned.) Now I simply can't setup users I decide to enter blank password (since PAM decided to restrict passwd.)
I'm not sure what you mean by "not enter password for a user". Do you mean that you pressed "Enter" when prompted for a password? I don't know if this method qualifies as a blank password for PAM.
This line you just uncommented in /etc/pam.d/system-auth has some parameters:
"nullok" should allow blank password but I don't know what is blank password here.
"minlen=6" means that a password should have a minimum length of 6 characters. If you pressed "Enter" when prompted for a password, it's possible that the user password is a zero-length string ("") and this is not allowed with this option.
Try without the "minlen=6" option.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.