subject:"\[Freeipa\-users\] Re\: Using pam_krb5 to change password at ssh prompt gives shell"

[Freeipa-users] Re: Using pam_krb5 to change password at ssh prompt gives shell

2017-12-01 Thread Aaron Hicks via FreeIPA-users

Hi Jochen,

Yes, that pam_deny.so the next line:

passwordrequisite pam_pwquality.so try_first_pass local_users_only
retry=3 authtok_type=
passwordsufficientpam_unix.so sha512 shadow try_first_pass
use_authtok
#passwordsufficientpam_sss.so use_authtok # fails with 2FA enabled
passwordsufficientpam_krb5.so chpw_prompt=true use_authok debug=true
[banner=Retype old]
passwordrequired  pam_deny.so

-Original Message-
From: Jochen Hein [mailto:joc...@jochen.org] 
Sent: Wednesday, 29 November 2017 6:37 PM
To: Aaron Hicks via FreeIPA-users <freeipa-users@lists.fedorahosted.org>
Cc: Aaron Hicks <aaron.hi...@nesi.org.nz>
Subject: Re: [Freeipa-users] Using pam_krb5 to change password at ssh prompt
gives shell

Aaron Hicks via FreeIPA-users <freeipa-users@lists.fedorahosted.org>
writes:

> As a workaround for another issue we have with using two-factor 
> authentication, we're using pam_krb5 to change expired passwords, so 
> in /etc/pam.d/password-auth-ac whe have changed the password section to
be:
>
...
>
> This puts the user through a password reset process without the second 
> factor interfering, but at the end they get shell. This is without the 
> second factor.
>
>  
>
> Is there a parameter this so that the connection is disconnected 
> instead, or the connection attempt is restarted?

I'd try pam_deny.  This should work for password section.

Jochen

--
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Using pam_krb5 to change password at ssh prompt gives shell

2017-11-28 Thread Jochen Hein via FreeIPA-users

Aaron Hicks via FreeIPA-users 
writes:

> As a workaround for another issue we have with using two-factor
> authentication, we're using pam_krb5 to change expired passwords, so in
> /etc/pam.d/password-auth-ac whe have changed the password section to be:
>
...
>
> This puts the user through a password reset process without the second
> factor interfering, but at the end they get shell. This is without the
> second factor.
>
>  
>
> Is there a parameter this so that the connection is disconnected instead, or
> the connection attempt is restarted?

I'd try pam_deny.  This should work for password section.

Jochen

-- 
This space is intentionally left blank.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Using pam_krb5 to change password at ssh prompt gives shell

[Freeipa-users] Re: Using pam_krb5 to change password at ssh prompt gives shell

2 matches

Site Navigation

Mail list logo

Footer information