Andreas Ntaflos <[email protected]> writes: > However, when a policy is set, and the user's new password does not > conform to that policy, SSH does not inform the user of the problem, it > simply re-prompts for the original password and then asks for a new > password again. Naturally, a user will find this confusing.
pam-krb5 on Debian and Ubuntu, which presumably is what you're using, tries to tell the user about a password change failure by sending a message to the PAM conversation of type PAM_ERROR_MSG. It sounds like for some reason ssh isn't accepting and displaying that message? Could you try adding "debug" to the PAM options for the auth stack and see if the output in your local syslog about what pam-krb5 saw as the password change error is correct? You should see something prefixed with krb5_change_password. (I wonder if that should be logged at a level higher than debug.) Ah, hm. The other possibility is that the Kerberos library may be handling the password change internally, in which case I'm not sure what its prompting behavior is on password change failure. Actually, that's the most likely, since usually the Kerberos library, since it's given a prompter function, will just do everything internally. Maybe it doesn't print out the reason for a failed password change? -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
