merlin <[EMAIL PROTECTED]> writes: > Package: libpam-krb5 > Version: 2.6-1 > Severity: normal
> I have a host that uses kerberos for user authentication, and which is > only accessible remotely (i.e. ssh). When I expire a user's kerberos > password (kadmin -q "modprinc +needchange <user>"), I can log in on the > console with the old password, and change it to a new password, but if I > attempt to log in via ssh, login fails, and I cannot update the > password. An administrator is then required, making in impractical for > password expiration to be used. You have to enable ChallengeResponseAuthentication in sshd_config for sshd to do a full PAM dialog. Otherwise, it fakes the PAM dialog enough to provide a password and if the PAM module has to prompt for any more data than that, it fails. Try with ChallengeResponseAuthentication enabled and let me know if it still doesn't work. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

