# PAM passwd retries

## JC Denton

Okay, so this is annoying me:

```
Changing password for user.

(current) UNIX password:

New password:

Retype new password:

BAD PASSWORD: it is based on a dictionary word

BAD PASSWORD: it is based on a dictionary word

BAD PASSWORD: it is based on a dictionary word

passwd: Have exhausted maximum number of retries for service

passwd: password unchanged
```

Yet on another system, a dictionary failure does not make `passwd' fail entirely:

```
Changing password for user.

(current) UNIX password:

New UNIX password:

BAD PASSWORD: it is based on a dictionary word

New UNIX password:

Retype new UNIX password:

passwd: password updated successfully
```

Both systems have the same /etc/pam.d/passwd:

```
#%PAM-1.0

auth       include      system-auth

account    include      system-auth

password   include      system-auth
```

... and the same /etc/pam.d/system-auth:

```
auth            required        pam_env.so

auth                            [success=done ignore=ignore auth_err=die default=bad] pam_skey.so

auth            required        pam_unix.so try_first_pass likeauth nullok

account         required        pam_unix.so

password        required        pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3

password        required        pam_unix.so try_first_pass use_authtok nullok sha512 shadow

session         required        pam_limits.so

session         required        pam_env.so

session         required        pam_unix.so

session         optional        pam_permit.so
```

It's not just dictionary failures.  Any kind of pam_cracklib (module) failure "repeats" three times on the first system, never giving the user an opportunity to fix the problem.

Any PAM experts out there with a clue on why this is happening? I'm almost at wit's end trying to figure it out...

----------

## gerdesj

Have you compared the PAM versions?

Cheers

Jon

----------

## JC Denton

 *gerdesj wrote:*   

> Have you compared the PAM versions?
> 
> Cheers
> 
> Jon

 

Did an update on the behaving machine.  Both now have:

```
[I--] [  ] sys-apps/shadow-4.1.2.2 (0)

[I--] [  ] sys-auth/pambase-20100310 (0)
```

And both are now experiencing the problem.  Seems bug report worthy, no?

----------

## Rexilion

No, it's not worth a bugreport I think it's intenional:

IUSE="debug cracklib passwdqc consolekit gnome-keyring selinux mktemp ssh +sha512"

The cracklib and passwdqc both refer to 'password strength checking'. Disabling those should get you further. However, you should really consider changing the password as the program recommends...

----------

## JC Denton

 *Rexilion wrote:*   

> No, it's not worth a bugreport I think it's intenional:
> 
> IUSE="debug cracklib passwdqc consolekit gnome-keyring selinux mktemp ssh +sha512"
> 
> The cracklib and passwdqc both refer to 'password strength checking'. Disabling those should get you further. However, you should really consider changing the password as the program recommends...

 

I was referring to the fact that you can't retry after inputting a weak password.  On the "broken" version, it just repeats the error three times and gives up.

----------

