Re: pam storing sessions with old passwords?

Frank Nørvig <frank@xxxxxxxxxx> · Fri, 11 Apr 2008 08:32:20 +0200

I did some further testing and it seems it's a PAM problem and not LDAP 

as it's different servers (with Fedora 4 and pam 0.79) that remember the 

old password for different users. We only have one LDAP server so if it 

was LDAP was caching the old password, it would be possible to log in 

with the old password on all servers but that's not the case.

Also we were able to test it further with one of our users. She changed 

password 4 days ago and was still able to login with both her old (1) 

and new (2) password. We changed the password again (3) and this time 

she was able to login with her (1) password and (3) password, but not 

(2). Again, we changed it (4) and this time same pattern - she was able 

to login with (1) and (4) but not (2) and (3). And again with (5) it was 

same pattern.

It seems like PAM stores a session of an old password that it 

"recognizes" and instead of checking the password with the LDAP server 

it just lets the user in. Even when the user gets a new password and 

logs in with it :(

--- Frank
http://www.noervig.dk

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list