[Bug 423] Workaround for pw change in privsep mode (3.5.p1)

Michael Steffens michael_steffens at hp.com
Fri Nov 8 21:00:05 EST 2002

Darren Tucker wrote:
> Michael Steffens wrote:
>>And, if the PAM stack for sshd is really configured to prompt for
>>multiple different passwords, authentication will always fail...
> So by rights, PAM authentication should always be done via
> keyboard-interactive? If you do that, you can throw the pam_chauthok
> stuff in there too?

Yes and no :)

If keyboard-interactive would work in privsep mode (it doesn't, at
least for me) and if it would be also available for protocol 1,
which it isn't, it could be the general PAM authentication channel.

But it's main purpose (may be wrong there) seems to be providing a
full PAM conversation to the client without a local TTY, analogously
to the INITIAL_LOGIN mode with do_pam_conversation().

For pam_chauthok() this is not relevant, because it is to be called
after successful authentication with session and TTY established.

So I doubt that keyboard-interactive is the appropriate place to
throw pam_chauthok in.

More information about the openssh-unix-dev mailing list