On 2011-09-02 00:42, Russ Allbery wrote: > Andreas Ntaflos <[email protected]> writes: > >> However, when a policy is set, and the user's new password does not >> conform to that policy, SSH does not inform the user of the problem, it >> simply re-prompts for the original password and then asks for a new >> password again. Naturally, a user will find this confusing. > > pam-krb5 on Debian and Ubuntu, which presumably is what you're using, > tries to tell the user about a password change failure by sending a > message to the PAM conversation of type PAM_ERROR_MSG. It sounds like for > some reason ssh isn't accepting and displaying that message? > > Could you try adding "debug" to the PAM options for the auth stack and see > if the output in your local syslog about what pam-krb5 saw as the password > change error is correct? You should see something prefixed with > krb5_change_password. (I wonder if that should be logged at a level > higher than debug.)
Russ, thanks for your prompt response, again! It seems indeed that SSH gets informed that the password change failed, but doesn't know much else. I don't see a message prefixed with "krb5_change_password", I'm afraid. After adding "debug" to the pam-krb5 options the server's SSH logs show this when the user logs in and changes the password: pam_krb5(sshd:auth): pam_sm_authenticate: entry (0x1) pam_krb5(sshd:auth): (user testuser) attempting authentication as [email protected] pam_krb5(sshd:auth): (user testuser) krb5_get_init_creds_password: Password change failed pam_krb5(sshd:auth): authentication failure; logname=testuser uid=0 euid=0 tty=ssh ruser= rhost=xx.yy.zz.aa pam_krb5(sshd:auth): pam_sm_authenticate: exit (failure) pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=xx.yy.zz.aa user=testuser error: PAM: Authentication failure for testuser from xx.yy.zz.aa pam_krb5(sshd:auth): pam_sm_authenticate: entry (0x1) pam_krb5(sshd:auth): (user testuser) attempting authentication as [email protected] > Ah, hm. The other possibility is that the Kerberos library may be > handling the password change internally, in which case I'm not sure what > its prompting behavior is on password change failure. Actually, that's > the most likely, since usually the Kerberos library, since it's given a > prompter function, will just do everything internally. Maybe it doesn't > print out the reason for a failed password change? I don't know anything about the Kerberos library internals but when using the normal "passwd" program with the PAM stack described in my previous message I indeed get informed of the policy violation: testuser@shellserver:~$ passwd Current Kerberos password: Enter new Kerberos password: Retype new Kerberos password: Server error: New password is too short. Please choose a password which is at least 10 characters long. passwd: Authentication token manipulation error passwd: password unchanged Are passwd and SSH's PAM/challenge-repsonse stuff even related? Andreas
signature.asc
Description: OpenPGP digital signature
________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
