Before this change, enforce=users was handled like enforce=everyone for all PAM services except passwd. Now, in addition to passwd, chpasswd is another PAM service for which enforce=users setting will enforce strong passwords for invocations by non-root users only.
The reason why the effect of enforce=users is limited to these two services is that login services invoke the PAM stack as root, so if change of expired password is forced then with enforce=users and no service name check a non-root user would bypass password policy.
Before this change, enforce=users was handled like enforce=everyone for all PAM services except passwd. Now, in addition to passwd, chpasswd is another PAM service for which enforce=users setting will enforce strong passwords for invocations by non-root users only.
The reason why the effect of enforce=users is limited to these two services is that login services invoke the PAM stack as root, so if change of expired password is forced then with enforce=users and no service name check a non-root user would bypass password policy.
Suggested-by: Solar Designer solar@openwall.com Resolves: https://github.com/openwall/passwdqc/issues/27