On 7.5. 17:45, Jerome BENOIT wrote:
Installing pam_ssh manually
  in the primary block (as below), results in
the behaviour I would have expected.

What must I read by manually ?

I mean I edited /etc/pam.d/common-auth with a text editor, instead of using pam-auth-update(8).

I would suggest changing the config to put the module in the primary block, so that it can authenticate the user on its own.

Or, if that is not wanted, to set 'try_first_pass' instead of 'use_first_pass' so the login password and key passphrase don't need to match.

pam_ssh also never seems to ask for the passphrase, even if the password
given earlier doesn't unlock the key. (regardless of whether use_first_pass,
try_first_pass or neither is given)

Mmh, I realized this is because ChallengeResponseAuthentication is disabled by default in sshd_config, and it's needed for the conversation
with the PAM module to work.

So I have to admit this was a user error, sorry.
(Not that I think the documentation about ssh vs. pam is too clear in general, bleh.)

> Have you tried with the version in experimental ?

I did, now (libpam-ssh 2.01+ds-2), but it acts the same, since the pam config is the same and that was the only remaining problem anyway.


--
Ilkka Virta <[email protected]>


--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to