Craig Gallek <[EMAIL PROTECTED]> writes: > That is correct. I've attached the debug output for pam_krb5.so with > ChallengeResponseAuthentication both on and off.
> ChallengeResponseAuthentication yes: This case I *think* I've fixed in Subversion, btw, by working around the OpenSSH error, but it's a shame to have to work around what's really an OpenSSH bug. > ChallengeResponseAuthentication no with unix password: > Jan 1 22:34:02 optimus sshd[4688]: Accepted password for cgallek from > 192.168.0.14 port 50991 ssh2 > Jan 1 22:34:02 optimus sshd[4690]: (pam_krb5): none: pam_sm_setcred: > entry (0x2) This isn't using PAM at all -- note the lack of calls to pam_sm_authenticate. Oh! Do you have "UsePAM yes" in your sshd_config? ChallengeResponseAuthentication always forces PAM authentication, I believe; otherwise, sshd defaults to doing an old-style crypt password match against /etc/shadow unless UsePAM is yes. (I think.) -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]