Andreas Ntaflos <[email protected]> writes: > It seems indeed that SSH gets informed that the password change failed, > but doesn't know much else. I don't see a message prefixed with > "krb5_change_password", I'm afraid.
Okay, this is indeed all being handled internally by the Kerberos library. Maybe one of the MIT Kerberos folks can comment about how errors are reported through the Kerberos prompter facility. (My PAM module unfortunately doesn't log the prompts that it passes along from Kerberos; I should probably look at doing that.) > After adding "debug" to the pam-krb5 options the server's SSH logs show > this when the user logs in and changes the password: > pam_krb5(sshd:auth): pam_sm_authenticate: entry (0x1) > pam_krb5(sshd:auth): (user testuser) attempting authentication as > [email protected] > pam_krb5(sshd:auth): (user testuser) krb5_get_init_creds_password: > Password change failed > pam_krb5(sshd:auth): authentication failure; logname=testuser uid=0 > euid=0 tty=ssh ruser= rhost=xx.yy.zz.aa The problem from SSH's perspective is that since it's doing an authentication, not a password change, it doesn't know that the password change failed. All that PAM can tell it is that the authentication failed, not why (in this case a forced and failed password change). So it starts the authentication over again, which just presents a new password change prompt again. But even if ssh knew it was a failed password change, it wouldn't know why. What you need is for the agent that's attempting the password change to tell the user the error message that it got back from the password change service. The Kerberos library has that information; I'm not sure how it handles it. A workaround would be to set defer_pwchange in the PAM options, which I believe ssh will handle correctly and which will restore control over the messaging to the PAM module. However, read the caveats for that option in the pam_krb5 man page before using it. > I don't know anything about the Kerberos library internals but when > using the normal "passwd" program with the PAM stack described in my > previous message I indeed get informed of the policy violation: This is a much different case, since this calls the password change functionality directly and therefore the PAM module is in control of all the prompting and gets the error message itself. It's an entirely different code path than forced password change during initial authentication. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
