[nycbug-talk] Change password at next login?

[Tim A.]

Miles Nordin wrote:
> PAM isn't cool.  It's also full of bugs, and its behavior can be
> reliably known only by observation which is exactly the type of
> quirkyness what you *DO NOT* want from a subsystem meant to be
> checking passwords!  no, you don't have to write n * m bits of special
> code, but everyone has m broken applications, and n * m things to test
> looking for surprise security problems.  and, as you found, debuggers
> don't work well any more, source code is hard to find, and the
> internal behavior of modules is not documented, only rather optimistic
> fantasies of how to configure the module are sometimes partially
> documented.  PAM's an embarassment.


That's funny. I thought it seemed kind of wacky but I didn't want to dis 
it because apparently everyone else is using it and I figured I was just 
using it wrong.

If it's so totally wacked out though, why would they have made it the 
default in such a critical system component as security?

I have a base of untrusted, mostly irresponsible users who are more than 
glad to set themselves a blank password if they can.
All I want to do is be able to reset someone's password while requiring 
them to change it at next login (over SSH) and enforce some minimal 
complexity requirement. I don't need to make it work with ldap or imap 
or anything else. The only thing they connect to this machine for is to 
run a legacy custom application.