Solaris password requirements not enforced

Darren Tucker dtucker at zip.com.au
Thu Aug 12 08:46:16 EST 2004


Srinivas Gopaladasu wrote:
> My only problem which I think probably be easily fixed is, any messages 
> by Solaris are not displayed.
> For ex, it shows as below:
[...]
> Any idea why the messages from Solaris are suppressed?

As soon as the PAM call completes, the keyboard-interactive machinery 
considers the authentication attempt complete and no further 
keyboard-interactive messages are sent for that round.

PAM ERROR_MSG and TEXT_INFO messages are collected and sent with the 
prompts to the user.  The upshot is any ERROR_MSG or TEXT_INFO messages 
sent after PROMPT_ECHO* will not be displayed if the authentication 
fails.  If the authentication succeeds, the remaining messages are 
stored for display to the user after login.

It would be possible within the protocol to have a final message in the 
kbdint round with the message in the "instruction" field but zero 
prompts.  I don't know how hard that would be to implement.  There's a 
couple of other options (USERAUTH_BANNER, eg [1] or packet_disconnect).

[1] http://bugzilla.mindrot.org/show_bug.cgi?id=892

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.




More information about the openssh-unix-dev mailing list