On Wed, Feb 21, 2007 at 10:28:48AM -0800, Russ Allbery wrote: > Michael Richters <[EMAIL PROTECTED]> writes: > > On Tue, Feb 20, 2007 at 10:24:55PM -0800, Russ Allbery wrote: > > >> You have to enable ChallengeResponseAuthentication in sshd_config for > >> sshd to do a full PAM dialog. Otherwise, it fakes the PAM dialog > >> enough to provide a password and if the PAM module has to prompt for > >> any more data than that, it fails. > > > Thank you. That does work, though it is far from obvious, since > > pam_unix does not require ChallengeResponseAuthentication in order to > > provide almost the same functionality (it forces the user to log in > > again after changing the password). > > I don't see how pam_unix would avoid needing to have this enabled to > provide this functionality. Unless ChallengeResponseAuthentication is > enabled, there is no way for a PAM module to do supplemental prompts > through sshd since sshd's conversation function simply doesn't pay any > attention to them. Are you sure that, for Unix passwords, sshd doesn't > just take care of the password expiration and change itself? > > If not, I'd love to know how pam_unix manages to do it.
My guess is that it doesn't do it through sshd. When logging in using pam_unix with an expired password, my process tree shows a 'passwd' child of sshd. I'm guessing this means that authentication succeeded, as far as sshd is concerned, but the 'login' program (or whatever, I'm not that familiar with the process) knows that the account is expired, so it runs 'passwd', which prompts for the user's (old) password again, then for the new password (same as running 'passwd' manually). Once 'passwd' exits, the ssh connection is gone (because sshd exits), and the user has to log in again (this doesn't happen on the console, though -- I'm not sure why). In fact, the same thing happens if I'm using pam_krb5 to log in, but I've just run `passwd -e <username>`. Therefore, I'm pretty sure pam_unix has nothing to do with it. > > I submit that this is a minor documentation bug. At the least, a brief > > note (such as the above paragraph) in /usr/share/doc/libpam-krb5 would > > suffice, in my opinion. > > Agreed. I'll add that in the next release. Thank you. And thanks again for your help. --Mike -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
