merlin <[EMAIL PROTECTED]> writes:

> Package: libpam-krb5
> Version: 2.6-1
> Severity: normal

> I have a host that uses kerberos for user authentication, and which is
> only accessible remotely (i.e. ssh).  When I expire a user's kerberos
> password (kadmin -q "modprinc +needchange <user>"), I can log in on the
> console with the old password, and change it to a new password, but if I
> attempt to log in via ssh, login fails, and I cannot update the
> password.  An administrator is then required, making in impractical for
> password expiration to be used.

You have to enable ChallengeResponseAuthentication in sshd_config for sshd
to do a full PAM dialog.  Otherwise, it fakes the PAM dialog enough to
provide a password and if the PAM module has to prompt for any more data
than that, it fails.

Try with ChallengeResponseAuthentication enabled and let me know if it
still doesn't work.

-- 
Russ Allbery ([EMAIL PROTECTED])               <http://www.eyrie.org/~eagle/>


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to