#
# PAM configuration for non-secure mode secPasswdChange API: /etc/pam.d/api
#
# Note: Linux-PAM library does not differentiate between "requisite" and
# and "requied" flag for the pam_sm_chauthtok function with the
# "update_authtok" flag.
#
#  always_ask_old: since daemon is always running as UID 0, we should
#  always ask the old password regardless which account it is changing.
#

password        requisite       pam_fabos.so always_ask_old max_try=1
password        required        pam_unix.so md5 use_first_pass
