SSH, REQUIRES_PWCHANGE and policies problem
Russ Allbery
rra at stanford.edu
Thu Sep 1 18:42:02 EDT 2011
Andreas Ntaflos <daff at pseudoterminal.org> writes:
> However, when a policy is set, and the user's new password does not
> conform to that policy, SSH does not inform the user of the problem, it
> simply re-prompts for the original password and then asks for a new
> password again. Naturally, a user will find this confusing.
pam-krb5 on Debian and Ubuntu, which presumably is what you're using,
tries to tell the user about a password change failure by sending a
message to the PAM conversation of type PAM_ERROR_MSG. It sounds like for
some reason ssh isn't accepting and displaying that message?
Could you try adding "debug" to the PAM options for the auth stack and see
if the output in your local syslog about what pam-krb5 saw as the password
change error is correct? You should see something prefixed with
krb5_change_password. (I wonder if that should be logged at a level
higher than debug.)
Ah, hm. The other possibility is that the Kerberos library may be
handling the password change internally, in which case I'm not sure what
its prompting behavior is on password change failure. Actually, that's
the most likely, since usually the Kerberos library, since it's given a
prompter function, will just do everything internally. Maybe it doesn't
print out the reason for a failed password change?
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list