[Bug 568] Kerberos password auth/expiry kbdint patch
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Wed Apr 7 00:37:41 EST 2004
http://bugzilla.mindrot.org/show_bug.cgi?id=568
------- Additional Comments From michael.houle at atcoitek.com 2004-04-07 00:37 -------
It is because of PAM that I've tried to get native kerb5 working with
password expiry. Normally I would go with PAM but it seems that I cannnot get
both priv/pub login and interactive login (with password changing) working. Our
relevant pam.conf lines:
sshd auth required /usr/lib/security/pam_krb5.so.1
sshd account required /usr/lib/security/pam_krb5.so.1
Note that we are using Sun's pam_krb5.so.1.
With the above 'account' line enabled, we cannot use pub/priv login. Darren
Tucker explained to me that although PAM's 'auth' is skipped for pub/priv login,
'account' cannot be skipped because you have to check for login times
/etc/nologin etc... If I comment out the 'account' line, pub/priv logins work,
but of course password changing won't work then.
What's happening for pub/priv login is that the 'account' module of pam_krb5 is
trying to check if the password is expired on pub/priv login. This blocks any
automated ssh/scp scripts we have in place.
So it seems we are in a catch-22 and that is why I am interested in this patch.
The native kerb5 support in sshd is working for both modes of operation. I only
need to get password changing working and then I can shutdown telnet ;)
Thanks.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the openssh-bugs
mailing list