PAM Stacking

["John R. Shannon" <john%johnrshannon.com@localhost>]

I've been working on a package for pam_passwdqc, a password strength checking 
module, an I'm encountering a problem with module stacking. I'm wondering if 
this has been encountered with other PAM modules and has a suffestion.

If I configure PAM like this:

password  requisite   /usr/pkg/lib/security/pam_passwdqc.so  ask_oldauthtok
password  required  pam_unix.so  no_warn use_first_pass debug

$ passwd
Changing password for john.
Enter current password:

You can now choose the new password or passphrase.
A valid password should be a mix of upper and lower case letters,
digits, and other characters.  You can use a 9 character long
password with characters from at least 3 of these 4 classes, or
an 8 character long password containing characters from all the
classes.  An upper case letter that begins the password and a
digit that ends it do not count towards the number of character
classes used.
A passphrase should be of at least 3 words, 12 to 40 characters
long and contain enough different characters.
Alternatively, if noone else can see your terminal now, you can
pick this as your password: "piston worthy rune sheer hair".
Enter new password:
Re-type new password:
Unable to change auth token: authentication error

and the following is logged:

passwd: in _openpam_check_error_code(): pam_sm_chauthtok(): unexpected return 
value 9

If I change from use_first_pass try_first_pass it works, but, password must be 
entered for each PAM module.

-- 
John R. Shannon
STAR Technologies, LLC
A DSCI Company
jshannon%dsci.com@localhost
john.r.shannon%us.army.mil@localhost
shannonjr%NetBSD.org@localhost