SSH, REQUIRES_PWCHANGE and policies problem
Greg Hudson
ghudson at MIT.EDU
Fri Sep 2 00:35:18 EDT 2011
On Thu, 2011-09-01 at 19:11 -0400, Russ Allbery wrote:
> Okay, this is indeed all being handled internally by the Kerberos library.
> Maybe one of the MIT Kerberos folks can comment about how errors are
> reported through the Kerberos prompter facility.
If a password change fails with a "soft error", the prompter is invoked
up to two more times with the banner changed to include the error string
from the server.
However, a bug was introduced in krb5 1.7 which caused kadmind to return
a "hard error" for password quality failures. The client code handles a
hard error by returning from krb5_get_init_creds_password() immediately
with a not-very-descriptive error code. This kadmind bug was fixed in
krb5 1.9.1.
More information about the Kerberos
mailing list