[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: OpenSSH and PAM



On Mon, Sep 11, 2000 at 01:30:31PM -0400, Paul Nicholas Faure wrote:
> Does OpenSSH support PAM fully ?
> OpenSSH does not prompt the user for a new password if it has expired. It
> simply says "Warning: You password has expired, please change it now".
> 
> My /etc/pam.d/sshd file is:
> auth       required     /lib/security/pam_securetty.so
> auth       required     /lib/security/pam_unix.so shadow nullok
> auth       required     /lib/security/pam_nologin.so
> account    required     /lib/security/pam_unix.so
> password   required     /lib/security/pam_cracklib.so retry=3
> password   required     /lib/security/pam_unix.so shadow nullok use_authtok nis
> session    required     /lib/security/pam_unix.so
> session    optional     /lib/security/pam_console.so
> 
> My /etc/pam.d/login file is the same as /etc/pam.d/sshd. And telnet
> properly prompts me for a password.

I had a patch for OpenSSH 1 that got accepted upstream, and allowed it to
check PAM session and account, even during RSA authentication (currently
RSA auth bypasses a lot of the normal account locking features). Problem
is, it got axed sometime after as "the wrong place for unix account
verification".

IMO, this is a serious lack in OpenSSH's (and even fsecure's Unix sshd)
functionality.

-- 
 -----------=======-=-======-=========-----------=====------------=-=------
/  Ben Collins  --  ...on that fantastic voyage...  --  Debian GNU/Linux   \
`  bcollins@debian.org  --  bcollins@openldap.org  --  bcollins@linux.com  '
 `---=========------=======-------------=-=-----=-===-======-------=--=---'





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []