I think you should read
passwd(1) a bit more thoroughly because it explains quite a bit about the process. It makes it quite clear that
passwd is focused on locally stored passwords:
Code:
The passwd utility has built-in support for NIS. If a user exists in the
NIS password database but does not exist locally, passwd automatically
switches into yppasswd mode. If the specified user does not exist in
either the local password database or the NIS password maps, passwd
returns an error.
Which makes me conclude that
passwd definitely has its limitations. This is also illustrated in the section which explains Kerberos:
Code:
To change another user's Kerberos password, one must first run kinit(1)
followed by passwd. The super-user is not required to provide a user's
current password if only the local password is modified.
What doesn't make sense is that passwd is supposed to be pam aware, yet it puts a restriction on what the user source must be.
To my understanding PAM is all about
authentication, not necessarily password management. This is strongly hinted at if you read
pam(3) and
pam.conf(5).
passwd is capable of using the PAM framework to make sure that the user has the required privileges it needs to utilize it, but it doesn't use that framework to actually manage the password database(s). See also
/etc/pam.d/passwd:
Code:
# passwd(1) does not use the auth, account or session services.
# password
#password requisite pam_passwdqc.so enforce=users
password required pam_unix.so no_warn try_first_pass n
ullok
Isn't the purpose of being pam aware is to allow the end user to configure their pam stack according to their needs?
I'm definitely not an expert on PAM but if I check
Code:
Password Management
The pam_chauthtok() function allows the server to change the user's
password, either at the user's request or because the password has
expired.
If you then look into
pam_chauthtok(3) you'll see that this routine only seems to be used to make sure that the user authentication remains in sync with the framework, no where does it mention anything about actually performing the change in password.
It clearly states that it the server which changes the password, but never mentions that this operation is performed through the PAM framework, making me conclude that it is the server which changes the password and then has to ensure that PAM is aware and the session stays valid.
This is backed up by
pam(3) which states that the definition for 'the server' is:
Code:
In PAM parlance, the application that uses PAM to authenticate a user is
the server, and is identified for configuration purposes by a service
name, which is often (but not necessarily) the program name.
(3) manual page" href="https://man.freebsd.org/cgi/man.cgi?query=pam[/man then I come across this:
Code:
Password Management
The pam_chauthtok() function allows the server to change the user's
password, either at the user's request or because the password has
expired.
If you then look into
pam_chauthtok(3) you'll see that this routine only seems to be used to make sure that the user authentication remains in sync with the framework, no where does it mention anything about actually performing the change in password.
It clearly states that it the server which changes the password, but never mentions that this operation is performed through the PAM framework, making me conclude that it is the server which changes the password and then has to ensure that PAM is aware and the session stays valid.
This is backed up by
pam(3) which states that the definition for 'the server' is:
Code:
In PAM parlance, the application that uses PAM to authenticate a user is
the server, and is identified for configuration purposes by a service
name, which is often (but not necessarily) the program name.
&sektion=3&manpath=freebsd-release-ports">pam[/man then I come across this:
Code:
Password Management
The pam_chauthtok() function allows the server to change the user's
password, either at the user's request or because the password has
expired.
If you then look into
pam_chauthtok(3) you'll see that this routine only seems to be used to make sure that the user authentication remains in sync with the framework, no where does it mention anything about actually performing the change in password.
It clearly states that it the server which changes the password, but never mentions that this operation is performed through the PAM framework, making me conclude that it is the server which changes the password and then has to ensure that PAM is aware and the session stays valid.
This is backed up by
pam(3) which states that the definition for 'the server' is:
Code:
In PAM parlance, the application that uses PAM to authenticate a user is
the server, and is identified for configuration purposes by a service
name, which is often (but not necessarily) the program name.
(3)