Using PAM to restrict ability to change password

[crayfishuk]

Hi All,

I have some users authenticated with AD and some locally, I want to allow only local users and root to change their password with passwd, not users authenticating over AD - so far I have this in my /etc/pam.d/passswd file

password sufficiant pam_unix.so shadow nullok audit
password required pam_echo.so \
You CANNOT change your password using the Linux passwd command

password required pam_echo.so \
You must change your windows password in Active Directory


password requisite pam_deny.so

account include system-auth
password include system-auth
password required pam_deny.so



This works fine in allowing my normal users to change passwords and my AD users to be blocked, however, root cannot change passwords - the pam_rootok module seems only to work for auth - is there a way I can define root as a sufficiant check for password?

Thanks in advance.
Craig

[meton_magis]

you should be able to just add

auth sufficient pam_rootok.so

to the top of your file to make that the first checked item.

I haven't messed around with this type of scenario, so I can't say for certain if it'll work or not.

[crayfishuk]

you should be able to just add

auth sufficient pam_rootok.so

to the top of your file to make that the first checked item.

I haven't messed around with this type of scenario, so I can't say for certain if it'll work or not.

I tried that, doesn't work - I presume because auth sufficient will only pass future auth services and doesn't affect the outcome of password modules?