With a clean install of sys-auth/pambase-20080318 with cracklib enabled, passwd logs an error to syslog complaining that the try_first_pass option is unknown to the pam_cracklib module. Reproducible: Always Steps to Reproduce: 1. Install sys-auth/pambase-20080318 with cracklib USE flag. 2. Change password. Actual Results: Password is changed successfully, but two errors are logged: Jul 14 18:57:01 heinlein passwd[6730]: pam_cracklib(passwd:chauthtok): pam_parse: unknown option; try_first_pass Jul 14 18:57:04 heinlein passwd[6730]: pam_cracklib(passwd:chauthtok): pam_parse: unknown option; try_first_pass Jul 14 18:57:10 heinlein passwd[6730]: pam_unix(passwd:chauthtok): password changed for brian Expected Results: Expected no logged errors. The culprit is the following line in /etc/pam.d/system-auth: password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3 According to the pam_cracklib documentation at http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_cracklib.html the pam_cracklib module does not support the try_first_pass option. Removing this option from that line eliminates the logged error. Portage 2.1.4.4 (default/linux/x86/2008.0, gcc-4.1.2, glibc-2.6.1-r0, 2.6.24-gentoo-r8-heinlein i686) ================================================================= System uname: 2.6.24-gentoo-r8-heinlein i686 Intel(R) Celeron(R) CPU 430 @ 1.80GHz Timestamp of tree: Mon, 14 Jul 2008 07:45:03 +0000 app-shells/bash: 3.2_p33 dev-lang/python: 2.4.4-r13 dev-python/pycrypto: 2.0.1-r6 sys-apps/baselayout: 1.12.11.1 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.61-r2 sys-devel/automake: 1.10.1 sys-devel/binutils: 2.18-r3 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.23-r3 ACCEPT_KEYWORDS="x86" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=nocona -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-O2 -march=nocona -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="collision-detect distlocks metadata-transfer parallel-fetch sandbox sfperms strict unmerge-orphans userfetch" GENTOO_MIRRORS="http://gentoo.chem.wisc.edu/gentoo" LDFLAGS="-Wl,-O1" LINGUAS="en" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync21.us.gentoo.org/gentoo-portage" USE="acl berkdb bzip2 cli cracklib crypt cups dri fortran gdbm gpm iconv isdnlog midi mudflap ncurses nls nptl nptlonly openmp pam pcre perl pppd python readline reflection session spl ssl tcpd unicode x86 xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en" USERLAND="GNU" VIDEO_CARDS="fbdev glint i810 mach64 mga neomagic nv r128 radeon savage sis tdfx trident vesa vga via vmware voodoo" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
I just seen this bug and I just released a new version :/ I'll fix this in therepo and make sure that it's queued up for the next version that I'd hopefully will be releasing in August.
It seems that not fixed. [I--] [ ] sys-auth/pambase-20080318 (0) [I--] [ ] sys-libs/cracklib-2.8.12 (0) $equery uses pambase + + cracklib : Support for cracklib strong password checking /etc/pam.d/system-auth:password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3
It's fixed in ~arch version. -rw-r--r-- 1 flame flame 2797 2008-09-29 06:52 pambase-20080318.ebuild -rw-r--r-- 1 flame flame 2828 2008-08-01 16:37 pambase-20080730.ebuild -rw-r--r-- 1 flame flame 3530 2008-08-27 02:08 pambase-20080801.ebuild -rw-r--r-- 1 flame flame 2515 2008-09-29 07:25 pambase-20080801-r1.ebuild -rw-r--r-- 1 flame flame 3531 2008-10-28 22:59 pambase-20081028.ebuild -rw-r--r-- 1 flame flame 2533 2008-11-12 22:02 pambase-20081028-r1.ebuild
