SSH, REQUIRES_PWCHANGE and policies problem

Russ Allbery rra at stanford.edu
Thu Sep 1 19:11:18 EDT 2011 

Andreas Ntaflos <daff at pseudoterminal.org> writes:

> It seems indeed that SSH gets informed that the password change failed,
> but doesn't know much else. I don't see a message prefixed with
> "krb5_change_password", I'm afraid.

Okay, this is indeed all being handled internally by the Kerberos library.
Maybe one of the MIT Kerberos folks can comment about how errors are
reported through the Kerberos prompter facility.  (My PAM module
unfortunately doesn't log the prompts that it passes along from Kerberos;
I should probably look at doing that.)

> After adding "debug" to the pam-krb5 options the server's SSH logs show
> this when the user logs in and changes the password:

> pam_krb5(sshd:auth): pam_sm_authenticate: entry (0x1)
> pam_krb5(sshd:auth): (user testuser) attempting authentication as
> testuser at EXAMPLE.COM
> pam_krb5(sshd:auth): (user testuser) krb5_get_init_creds_password:
> Password change failed
> pam_krb5(sshd:auth): authentication failure; logname=testuser uid=0
> euid=0 tty=ssh ruser= rhost=xx.yy.zz.aa

The problem from SSH's perspective is that since it's doing an
authentication, not a password change, it doesn't know that the password
change failed.  All that PAM can tell it is that the authentication
failed, not why (in this case a forced and failed password change).  So it
starts the authentication over again, which just presents a new password
change prompt again.

But even if ssh knew it was a failed password change, it wouldn't know
why.  What you need is for the agent that's attempting the password change
to tell the user the error message that it got back from the password
change service.  The Kerberos library has that information; I'm not sure
how it handles it.

A workaround would be to set defer_pwchange in the PAM options, which I
believe ssh will handle correctly and which will restore control over the
messaging to the PAM module.  However, read the caveats for that option in
the pam_krb5 man page before using it.

> I don't know anything about the Kerberos library internals but when
> using the normal "passwd" program with the PAM stack described in my
> previous message I indeed get informed of the policy violation:

This is a much different case, since this calls the password change
functionality directly and therefore the PAM module is in control of all
the prompting and gets the error message itself.  It's an entirely
different code path than forced password change during initial
authentication.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

More information about the Kerberos mailing list