Hi list, I am currently experimenting a bit with Kerberos policies and have run into a a small usability problem regarding SSH, pam-krb5 and REQUIRES_PWCHANGE. Using Kerberos 1.8.1, OpenSSH "5.3p1 Debian-3ubuntu6" on Ubuntu 10.04.3.
Without a policy applied, a user with REQUIRES_PWCHANGE gets prompted by SSH upon successful login that his password needs to be changed. This works fine. However, when a policy is set, and the user's new password does not conform to that policy, SSH does not inform the user of the problem, it simply re-prompts for the original password and then asks for a new password again. Naturally, a user will find this confusing. The Kerberos logs show the failed password change correctly (i.e. "password too short"), but SSH doesn't seem to understand the problem. In the server's SSH logs only "authentication failed" messages are shown, here an example from our test installation: pam_krb5(sshd:auth): authentication failure; logname=testuser uid=0 euid=0 tty=ssh ruser= rhost=xx.yy.zz.aa pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xx.yy.zz.aa user=testuser error: PAM: Authentication failure for testuser from xx.yy.zz.aa For reference, the relevant PAM settings on the SSH server: account sufficient pam_krb5.so account sufficient pam_unix.so account required pam_deny.so auth sufficient pam_krb5.so auth sufficient pam_unix.so try_first_pass nullok_secure auth required pam_deny.so password sufficient pam_krb5.so password sufficient pam_unix.so try_first_pass obscure sha512 password required pam_deny.so session optional pam_krb5.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 session required pam_unix.so My question: is this an SSH problem? Or a PAM problem (modules stacked incorrectly)? Can this even be fixed? If so, how? Thanks, Andreas
signature.asc
Description: OpenPGP digital signature
________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
