[Bug 423] Workaround for pw change in privsep mode (3.5.p1)

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Sep 2 01:06:59 EST 2003


http://bugzilla.mindrot.org/show_bug.cgi?id=423





------- Additional Comments From michael_steffens at hp.com  2003-09-02 01:06 -------
Tried to find where the strange password authentication behaviour mentioned
in comment #22 comes from, and why plain old password authentication fails in
HP-UX trusted mode. Maybe this got me a bit closer to how the new code works. :)

Apparently it's falling back to non-PAM authentication for plain old password
authentication (the one where the client prompts "user at host's password:").

This fails in trusted mode, because DISABLE_SHADOW is defined for all versions
of HP-UX, thus getspnam is not being used to retrieve the real pw hash.
Instead the '*' from /etc/passwd is being used. By enabling shadow this can
be fixed. I have tried it and it worked.

On the other hand, with proto 1, TIS authentication has precedence over
password authentication, and it actually works using sshpam_device.  PAM
happens to generate the challenge "Password:", and succeeds when getting
the correct password on the prompt "Response:".

In case password via TIS fails (for example because the user was confused by
the prompts), traditional password authentication, bypassing PAM, is being
tried.

Is this correct and the intended order?





------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.




More information about the openssh-bugs mailing list