Challenge Response authentication
Darren Tucker
dtucker at zip.com.au
Sun Mar 28 20:33:11 EST 2004
Kumaresh wrote:
> Is there a difference in 3.6 and 3.7 implemetaion of ChallengeResponse
> authentication?
Challenge-response hasn't changed much, but the PAM challenge-response
module was completely replaced between 3.6.1p2 and 3.7p1.
> Also, what is the impact of setting UsePAM yes and no with respect to this
> authentication method and expiry passwords.
For 3.8p1 and up, when a user's password is expired and UsePAM=yes,
if Protocol == 2 and keyboard-interactive auth
force change via keyboard-interactive
else if PrivSep == no
force change via pam_chauthtok() at start of sesstion
else
force change via /usr/bin/passwd in session
With PAM enabled, password expiry is checked for *all* authentication
types (assuming PAM is configured to do so) since that test is done by
pam_acct_mgmt(), which needs to be checked for all auth types.
When UsePAM=no, password expiry is checked *only* for password
authentication, and password change is always done via /usr/bin/passwd.
Note that there is a bug when UsePAM=yes, the user's password is expired
and challenge-response is not used (see bugzilla #808).
(This is from memory, hopefully I got all the details right :-)
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list