Les' had trouble using tl-passwd on hos FC4 machine. The trouble turned out to be caused by the last line in /etc/pam.d/sshd: session required pam_loginuid.so The manual page for pam_loginuid.so: --snip-- pam_loginuid(8) System Administrator's Manual pam_loginuid(8) NAME pam_loginuid - record user's login uid to the process attribute SYNOPSIS session required /lib/security/pam_loginuid.so DESCRIPTION pam_loginuid sets the loginuid process attribute for the process that was authenticated. This is necessary for applications to be correctly audited. This pam module should only be used for entry point applica- tions like: login, sshd, gdm, vsftpd, crond, at, and remote. There are probably other entry point applications besides these. You should not use it for applications like sudo or su as that defeats the purpose by changing the loginuid to the account they just switched to. ARGUMENTS require_auditd This option, when given, will cause this module to query the audit daemon status and deny logins if it is not running. EXAMPLE /etc/pam.d/gdm: auth required pam_stack.so service=system-auth auth required pam_nologin.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth session required pam_loginuid.so session optional pam_console.so SEE ALSO auditd(8), auditctl(8) BUGS Let's hope not, but if you find any, please email the author. AUTHOR Steve Grubb <sgrubb@redhat.com> Red Hat Linux 2005/07/29 pam_loginuid(8) --snap-- Need to investigate if thinlinc should use pam_loginuid or not.
The best way to solve this is probably to implement bug 951, since that will eliminate the need to check the current password via lsh-pam-checkpw, since the passwd command will do that for us.
This problem exists on SLED11 as well. The main problem is that lsh-pam-checkpw not only verifies the password, but also opens a session. This is useful for VSM, but not at all necessary for tl-passwd. We could extend lsh-pam-checkpw with options to specify the desired behaviour, but probably, it's better to fix bug 951 instead.
*** Bug 3619 has been marked as a duplicate of this bug. ***
tl-passwd has been removed from the product.