[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: OpenSSH and PAM
- From: Ben Collins <bcollins debian org>
- To: pam-list redhat com
- Subject: Re: OpenSSH and PAM
- Date: Mon, 11 Sep 2000 17:34:15 -0400
On Mon, Sep 11, 2000 at 01:30:31PM -0400, Paul Nicholas Faure wrote:
> Does OpenSSH support PAM fully ?
> OpenSSH does not prompt the user for a new password if it has expired. It
> simply says "Warning: You password has expired, please change it now".
>
> My /etc/pam.d/sshd file is:
> auth required /lib/security/pam_securetty.so
> auth required /lib/security/pam_unix.so shadow nullok
> auth required /lib/security/pam_nologin.so
> account required /lib/security/pam_unix.so
> password required /lib/security/pam_cracklib.so retry=3
> password required /lib/security/pam_unix.so shadow nullok use_authtok nis
> session required /lib/security/pam_unix.so
> session optional /lib/security/pam_console.so
>
> My /etc/pam.d/login file is the same as /etc/pam.d/sshd. And telnet
> properly prompts me for a password.
I had a patch for OpenSSH 1 that got accepted upstream, and allowed it to
check PAM session and account, even during RSA authentication (currently
RSA auth bypasses a lot of the normal account locking features). Problem
is, it got axed sometime after as "the wrong place for unix account
verification".
IMO, this is a serious lack in OpenSSH's (and even fsecure's Unix sshd)
functionality.
--
-----------=======-=-======-=========-----------=====------------=-=------
/ Ben Collins -- ...on that fantastic voyage... -- Debian GNU/Linux \
` bcollins@debian.org -- bcollins@openldap.org -- bcollins@linux.com '
`---=========------=======-------------=-=-----=-===-======-------=--=---'
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
[]