[Bug 568] Kerberos password auth/expiry kbdint patch

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Wed Apr 7 00:37:41 EST 2004


http://bugzilla.mindrot.org/show_bug.cgi?id=568





------- Additional Comments From michael.houle at atcoitek.com  2004-04-07 00:37 -------
It is because of PAM that I've tried to get native kerb5 working with
password expiry. Normally I would go with PAM but it seems that I cannnot get 
both priv/pub login and interactive login (with password changing) working. Our
relevant pam.conf lines:

sshd    auth required /usr/lib/security/pam_krb5.so.1
sshd   account required        /usr/lib/security/pam_krb5.so.1

Note that we are using Sun's pam_krb5.so.1. 

With the above 'account' line enabled, we cannot use pub/priv login. Darren
Tucker explained to me that although PAM's 'auth' is skipped for pub/priv login, 
'account' cannot be skipped because you have to check for login times
/etc/nologin etc... If I comment out the 'account' line, pub/priv logins work,
but of course password changing won't work then. 

What's happening for pub/priv login is that the 'account' module of pam_krb5 is
trying to check if the password is expired on pub/priv login. This blocks any
automated ssh/scp scripts we have in place. 

So it seems we are in a catch-22 and that is why I am interested in this patch.
The native kerb5 support in sshd is working for both modes of operation. I only
need to get password changing working and then I can shutdown telnet ;) 

Thanks. 



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.




More information about the openssh-bugs mailing list