SSH, REQUIRES_PWCHANGE and policies problem

Andreas Ntaflos daff at pseudoterminal.org
Thu Sep 1 18:26:01 EDT 2011 

Hi list,

I am currently experimenting a bit with Kerberos policies and have run
into a a small usability problem regarding SSH, pam-krb5 and
REQUIRES_PWCHANGE. Using Kerberos 1.8.1, OpenSSH "5.3p1 Debian-3ubuntu6"
on Ubuntu 10.04.3.

Without a policy applied, a user with REQUIRES_PWCHANGE gets prompted by
SSH upon successful login that his password needs to be changed. This
works fine.

However, when a policy is set, and the user's new password does not
conform to that policy, SSH does not inform the user of the problem, it
simply re-prompts for the original password and then asks for a new
password again. Naturally, a user will find this confusing.

The Kerberos logs show the failed password change correctly (i.e.
"password too short"), but SSH doesn't seem to understand the problem.
In the server's SSH logs only "authentication failed" messages are
shown, here an example from our test installation:

pam_krb5(sshd:auth): authentication failure; logname=testuser uid=0
euid=0 tty=ssh ruser= rhost=xx.yy.zz.aa
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=xx.yy.zz.aa  user=testuser
error: PAM: Authentication failure for testuser from xx.yy.zz.aa

For reference, the relevant PAM settings on the SSH server:

account sufficient      pam_krb5.so
account sufficient      pam_unix.so
account required        pam_deny.so
auth    sufficient      pam_krb5.so
auth    sufficient      pam_unix.so try_first_pass nullok_secure
auth    required        pam_deny.so
password  sufficient    pam_krb5.so
password  sufficient    pam_unix.so try_first_pass obscure sha512
password  required      pam_deny.so
session optional        pam_krb5.so
session required        pam_mkhomedir.so skel=/etc/skel/ umask=0022
session required        pam_unix.so

My question: is this an SSH problem? Or a PAM problem (modules stacked
incorrectly)? Can this even be fixed? If so, how?

Thanks,

Andreas

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20110902/f1e5bb03/attachment.bin

More information about the Kerberos mailing list