Re: SSH, REQUIRES_PWCHANGE and policies problem
Andreas Ntaflos <daff <at> pseudoterminal.org>
2011-09-01 23:03:56 GMT
On 2011-09-02 00:42, Russ Allbery wrote:
> Andreas Ntaflos <daff <at> pseudoterminal.org> writes:
>> However, when a policy is set, and the user's new password does not
>> conform to that policy, SSH does not inform the user of the problem, it
>> simply re-prompts for the original password and then asks for a new
>> password again. Naturally, a user will find this confusing.
> pam-krb5 on Debian and Ubuntu, which presumably is what you're using,
> tries to tell the user about a password change failure by sending a
> message to the PAM conversation of type PAM_ERROR_MSG. It sounds like for
> some reason ssh isn't accepting and displaying that message?
> Could you try adding "debug" to the PAM options for the auth stack and see
> if the output in your local syslog about what pam-krb5 saw as the password
> change error is correct? You should see something prefixed with
> krb5_change_password. (I wonder if that should be logged at a level
> higher than debug.)
Russ, thanks for your prompt response, again!
It seems indeed that SSH gets informed that the password change failed,
but doesn't know much else. I don't see a message prefixed with
"krb5_change_password", I'm afraid.
After adding "debug" to the pam-krb5 options the server's SSH logs show
this when the user logs in and changes the password:
pam_krb5(sshd:auth): pam_sm_authenticate: entry (0x1)
pam_krb5(sshd:auth): (user testuser) attempting authentication as