sshd pam problem

Fri, 05 Aug 2005 07:26:02 -0700 

I am using an external security manager to authenticate user ids and 
passwords with CA-ACF2 using PAM. All is working fine except SSH. SSH is 
not propagating the ACF2 message back unless the signon is successful. 
Another words, if the user password is expired, or the user mistyped the 
password, SSH just re-prompts for the password. Once the password is 
accepted and the signon succeeds does SSH produces the messages. This 
creates problems if the password is expired as the user does not know 
this. They keep trying until our friend, ?intruder lockout? kicks in.

Here is my /etc/pam.d/sshd config:

#%PAM-1.0
auth     required       pam_nologin.so
auth     required       pam_env.so
auth     requisite      pam_CA_esm.so

account  required       pam_unix2.so
account  required       pam_nologin.so

password sufficient     pam_CA_esm.so
password required       pam_pwcheck.so
password required       pam_unix2.so    use_first_pass use_authtok

session  required       pam_unix2.so    none # trace or debug
session  required       pam_limits.so


Can anyone shed some light on this? This appears to only occur with sshd. 
Is there some special sshd config option I need to set to get these 
messages? A pam debug trace for the esm module shows that ACF2 is issuing 
the message, it is just sshd is not showing them to me. Thanks in advance.

Peter
This Email message and any attachment may contain information that is
proprietary, legally privileged, confidential and/or subject to copyright
belonging to Pepco Holdings, Inc. or its affiliates ("PHI").  This Email is
intended solely for the use of the person(s) to which it is addressed.  If
you are not an intended recipient, or the employee or agent responsible for
delivery of this Email to the intended recipient(s), you are hereby notified
that any dissemination, distribution or copying of this Email is strictly
prohibited.  If you have received this message in error, please immediately
notify the sender and permanently delete this Email and any copies.  PHI
policies expressly prohibit employees from making defamatory or offensive
statements and infringing any copyright or any other legal right by Email
communication.  PHI will not accept any liability in respect of such
communications.

----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Reply via email to