Why would Solaris compile with that flag? Solaris doesn't use the loginlibrary. The login library is a MacOS X specific feature.
In the current MIT sources, disabling prompting for a password change is a run time option. If the caller wants prompting to be disabled they should be using the
krb5_get_init_creds_opt_set_change_password_prompt(opt, prompt) function to disable it. This permits callers such as PAM that would know how to handle prompting better on their own to do so while permitting the Kerberos library to prompt in the default case. Jeffrey Altman Markus Moeller wrote:
I checked the sources and Solaris compiles MIT Kerberos with USE_LOGIN_LIBRARY and in gic_pwd.c it means it goes to cleanup without password change attempt.#ifdef USE_LOGIN_LIBRARY if (ret == KRB5KDC_ERR_KEY_EXP)goto cleanup; /* Login library will deal appropriately with this error */#endifI think this would mean pam_krb5 needs to remember the state in pam_authenticate (which need to return PAM_SUCCESS) and use it in pam_acct_mgmt which will then prompt. So I guess an option like login_library_used for pam_krb5 on Solaris is needed.Markus"Markus Moeller" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]I see now the same message. I have to check again why my initial test lookedOK. Markus "Coy Hile" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]On Sat, 19 Jan 2008, Russ Allbery wrote: I'm running Solaris 10 Update 4, and when using Russ' pam_krb5 on a principal whose password has expired, I see the following in the debug log: |Jan 20 11:52:03 login sshd[10303]: [ID 584047 auth.debug] (pam_krb5): cah220: attempting authentication as [EMAIL PROTECTED] |Jan 20 11:52:05 login sshd[10303]: [ID 584047 auth.debug] (pam_krb5): cah220: krb5_get_init_creds_password: Password has expired |Jan 20 11:52:05 login sshd[10303]: [ID 584047 auth.debug] (pam_krb5): cah220: <unknown>: exit (failure) For what it's worth, I've got the following in my pam.conf on this box: # grep sshd-kbdint pam.conf sshd-kbdint auth requisite pam_authtok_get.so.1 sshd-kbdint auth required pam_dhkeys.so.1 sshd-kbdint auth required /tmp/pam_krb5.so.1 debug sshd-kbdint auth optional pam_unix_auth.so.1 sshd-kbdint session required /tmp/pam_krb5.so.1 debug # Am I running into SEAM just not supporting "hey bozo, you're password is expired, change it now", or did I hork the configuration somehow. If you want, I can also provide the sshd_config. I appreciate any help you can give with this; I'm still a bit of a novice when it comes to doing anything cute. Along the same lines, is there any way to bounce back something like "Your password is going to expire in n days" during the authentication process? (say only if n < 10). Actually strike that. Is there some easy way to write an app that you'd run from /etc/profile to banner that sort of information? If I were using normal UNIX auth, I could do that relatively easily using the information in the shadow file. -- Coy Hile [EMAIL PROTECTED] ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
smime.p7s
Description: S/MIME Cryptographic Signature
________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
