Michael Richters <[EMAIL PROTECTED]> writes: > On Tue, Feb 20, 2007 at 10:24:55PM -0800, Russ Allbery wrote:
>> You have to enable ChallengeResponseAuthentication in sshd_config for >> sshd to do a full PAM dialog. Otherwise, it fakes the PAM dialog >> enough to provide a password and if the PAM module has to prompt for >> any more data than that, it fails. > Thank you. That does work, though it is far from obvious, since > pam_unix does not require ChallengeResponseAuthentication in order to > provide almost the same functionality (it forces the user to log in > again after changing the password). I don't see how pam_unix would avoid needing to have this enabled to provide this functionality. Unless ChallengeResponseAuthentication is enabled, there is no way for a PAM module to do supplemental prompts through sshd since sshd's conversation function simply doesn't pay any attention to them. Are you sure that, for Unix passwords, sshd doesn't just take care of the password expiration and change itself? If not, I'd love to know how pam_unix manages to do it. > I submit that this is a minor documentation bug. At the least, a brief > note (such as the above paragraph) in /usr/share/doc/libpam-krb5 would > suffice, in my opinion. Agreed. I'll add that in the next release. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
