-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
IMHO "expose_account = true" should be the default. If people
are using poorly maintained software on a proprietary run time
environment, then their admin should explicitly disable this
option.
I don't see a security risk here, either. Security thro
Harald Dunkel writes:
> Pam breaking ssh is really weird. Is this some kind of design
> problem, or how comes?
It's a design problem or a bug. Some Windows clients implemented
ChallengeResponse by looking for the literal prompt "Password" and can't
cope with any other prompt. They're broken, s
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 04/10/12 17:32, Russ Allbery wrote:
>
> You want:
>
> [appdefaults] pam = { expose_account = true }
>
[snip]
>
> I could include it in the password prompt by default, I suppose, although
> then it gets a bit awkward for people to configure that
Harald Dunkel writes:
> I changed krb5.conf accordingly:
> :
> :
> [auth]
> expose_account = true
> [password]
> expose_account = true
You want:
[appdefaults]
pam = {
expose_account = true
}
The krb5.conf file
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I changed krb5.conf accordingly:
:
:
[auth]
expose_account = true
[password]
expose_account = true
But this did not help. I still get
# passwd jupp
Current Kerberos pass
Harald Dunkel writes:
> Package: libpam-krb5
> Version: 4.5-4
> The passwd module should tell whose password it asks for.
It intentionally doesn't do this by default (and will not do this by
default) because it actually breaks some ssh clients and some people
consider it a security leak. Howev
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Package: libpam-krb5
Version: 4.5-4
The passwd module should tell whose password it asks for.
Sample session:
% su
Password:
# passwd jupp
Current Kerberos password:
Is it asking for my Kerberos password, for root's p
7 matches
Mail list logo
