[Bug 1065] password expiration and SSH keys don't go well together

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Wed Dec 7 09:53:02 EST 2005


http://bugzilla.mindrot.org/show_bug.cgi?id=1065





------- Comment #12 from dtucker at zip.com.au  2005-12-07 09:53 -------
(From update of attachment 1036)
This looks like the reason:
>PAM: pam_chauthtok(): User not known to the underlying authentication module

I suspect that the chauthtok() in the pam_ldap module relies on something set
earlier during the authenticate(), and is bailing when it's not present due to
the authentication being done via public-key and not PAM.  If that's the case,
I can't see anything sshd can do to make pam_chauthtok() work under those
conditions, it would require (probably minor) surgery on pam_ldap.

As a workaround you can try enabling UsePrivilegeSeparation: this will cause
sshd to exec /usr/bin/password to change the password, rather than using
pam_chauthtok() directly.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.




More information about the openssh-bugs mailing list