While testing out LDAP authentication on a CentOS 4.4 Linux host this week, I noticed that the “password” statements I added to /etc/pam.d/sshd weren’t taking effect:
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
password required /lib/security/$ISA/pam_deny.so
After pondering the issue for a while, I eventually started to wonder if the “passwd” utility was called by sshd to change user passwords. To see if this was the case, I decided to expire a user’s password, and then strace sshd while I logged in as that user:
$ strace -f -e trace=execve -p 2616
Process 2616 attached - interrupt to quit
--- SIGCHLD (Child exited) @ 0 (0) ---
Process 26638 attached
[pid 26638] execve("/usr/sbin/sshd", ["/usr/sbin/sshd", "-R"], [/* 14 vars */]) = 0
Process 26639 attached
Process 26639 detached
[pid 26638] --- SIGCHLD (Child exited) @ 0 (0) ---
Process 26640 attached
Process 26641 attached
[pid 26641] execve("/usr/bin/passwd", ["passwd"], [/* 14 vars */]) = 0
Process 26641 detached
[pid 26640] --- SIGCHLD (Child exited) @ 0 (0) ---
Process 26640 detached
[pid 26638] --- SIGCHLD (Child exited) @ 0 (0) ---
Process 26638 detached
--- SIGCHLD (Child exited) @ 0 (0) ---
Process 2616 detached
Sure enough, /usr/bin/passwd is called to change an expired password. To verify that the sshd daemon was the entity invoking /usr/bin/passwd, I used the strings utility to see if the string “/usr/bin/passwd” resided in the data segment of the sshd executable:
$ strings sshd | grep passwd
kerberosorlocalpasswd
/usr/bin/passwd
auth2-passwd.c
%s: struct passwd size mismatch
sshpam_passwd_conv
sshpam_auth_passwd
Once I knew that sshd called /usr/bin/passwd, I added my changes to /etc/pam.d/system-auth (which is “stacked” by pam_stack.so in /etc/pam.d/passwd), and everything worked as expected. I kinda dig the stacking capabilities that come out of the box with CentOS 4.4, since you can make a change in one location (/etc/pam.d/system-auth), and it’s effects are propogated to all service definitions in /etc/pam.d.