[Bug 423] Workaround for pw change in privsep mode (3.5.p1)
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Tue Sep 2 01:06:59 EST 2003
http://bugzilla.mindrot.org/show_bug.cgi?id=423
------- Additional Comments From michael_steffens at hp.com 2003-09-02 01:06 -------
Tried to find where the strange password authentication behaviour mentioned
in comment #22 comes from, and why plain old password authentication fails in
HP-UX trusted mode. Maybe this got me a bit closer to how the new code works. :)
Apparently it's falling back to non-PAM authentication for plain old password
authentication (the one where the client prompts "user at host's password:").
This fails in trusted mode, because DISABLE_SHADOW is defined for all versions
of HP-UX, thus getspnam is not being used to retrieve the real pw hash.
Instead the '*' from /etc/passwd is being used. By enabling shadow this can
be fixed. I have tried it and it worked.
On the other hand, with proto 1, TIS authentication has precedence over
password authentication, and it actually works using sshpam_device. PAM
happens to generate the challenge "Password:", and succeeds when getting
the correct password on the prompt "Response:".
In case password via TIS fails (for example because the user was confused by
the prompts), traditional password authentication, bypassing PAM, is being
tried.
Is this correct and the intended order?
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the openssh-bugs
mailing list