kerberos + gssapi password change

Darren Tucker dtucker at
Thu Oct 9 12:53:26 EST 2003

Andreas Girardet wrote:
> >I don't speak Kerberos myself but someone once reported [0] that an
> >earlier version of my password expiry patch [1] worked with Kerberos on
> an
> >earlier version of OpenSSH when PATH_PASSWD_PROGRAM was set to "kinit".
> I have tried this and I am still get the same behaviour. keyboard
> interactive fails and I wonder if ssh actually understands at all what
> PAM is getting back from kerberos.

The debug you posted earlier shows this:
debug3: ssh_msg_send: type 7
PAM: Authentication token is no longer valid; new one required.
debug3: mm_request_send entering: type 49
debug3: mm_request_receive entering
debug3: mm_sshpam_query: pam_query returned -1
debug2: auth2_challenge_start: devices <empty>

Maybe sshpam_query needs to understand PAM_NEW_AUTHTOK_REQD?

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list