#
#  PAM configuration for secure mode secPasswdChange API: /etc/pam.d/secapi
#
#  set_crypt_env: would (MD5) hash the password and set the hashed value
#  to a PAM environment variable NEWCRYPT to be available to application.
#
#  always_ask_old: since daemon is always running as UID 0, we should
#  always ask the old password regardless which account it is changing.
#
#  Only pam_fabos.so is needed. Can stack the pam_cracklib module after
#  pam_fabos.so. However, pam_cracklib only enforces its rule if UID > 0.
#

password	required	pam_fabos.so always_ask_old set_crypt_env \
				dont_compare_passwd max_try=1
