pam_cracklib正确报告错误的密码，但是pam_unix模块仍然会更改密码

我目前正在尝试使用pam_cracklib ，它根据我的debug.log正确地失败，但即使它被设置为我的PAMconfiguration文件中的password requisite条目，它仍然会转到下一个允许更改密码的pam_unix模块。 为什么它允许更改密码？

我正在通过sudo执行一个login驱动程序应用程序，这是我知道如何进行身份validation的唯一方法。

这是我的PAMconfiguration文件（名为/etc/pam.d/validate ）：

 auth required pam_env.so auth required pam_tally.so onerr=fail deny=3 auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so account required pam_unix.so account required pam_tally.so account sufficient pam_succeed_if.so uid < 500 quiet account required pam_permit.so password requisite pam_cracklib.so debug retry=3 minlen=14 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so 

我使我的用户密码无效，迫使他们改变它：

• 如何使dovecot不从本地主机请求密码？
• 这个可插拔authentication模块（PAM）“代码”是什么意思？
• 如何恢复PAMconfiguration？
• Ubuntu中的帐户locking
• 使用.htaccess时如何从Apache访问Unix passwd文件？

# chage -d 0 <user>

当我使用sudo运行自定义应用程序时，我的/var/log/debug.log会产生以下内容。

 pam_unix(validate:account): expired password for user mike (root enforced) pam_cracklib(validate:chauthtok): bad password: it is WAY too short pam_unix(validate:chauthtok): password changed for mike 

  enforce_for_root The module will return error on failed check also if the user changing the password is root. This option is off by default which means that just the message about the failed check is printed but root can change the password anyway. Note that root is not asked for an old password so the checks that compare the old and new password are not performed. 

 password requisite pam_cracklib.so debug retry=3 minlen=14 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 enforce_for_root 

  if (getuid() || options.enforce_for_root || (flags & PAM_CHANGE_EXPIRED_AUTHTOK))