I checked the sources and Solaris compiles MIT Kerberos with
USE_LOGIN_LIBRARY and in gic_pwd.c it means it goes to cleanup without
password change attempt.
#ifdef USE_LOGIN_LIBRARY
if (ret == KRB5KDC_ERR_KEY_EXP)
goto cleanup; /* Login library will deal appropriately
with this error */
#endif
I think this would mean pam_krb5 needs to remember the state in
pam_authenticate (which need to return PAM_SUCCESS) and use it in
pam_acct_mgmt which will then prompt. So I guess an option like
login_library_used for pam_krb5 on Solaris is needed.
Markus
"Markus Moeller" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
>I see now the same message. I have to check again why my initial test
>looked
> OK.
>
> Markus
>
>
> "Coy Hile" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]
>> On Sat, 19 Jan 2008, Russ Allbery wrote:
>>
>>
>> I'm running Solaris 10 Update 4, and when using Russ' pam_krb5 on a
>> principal whose password has expired, I see the following in the debug
>> log:
>>
>> |Jan 20 11:52:03 login sshd[10303]: [ID 584047 auth.debug] (pam_krb5):
>> cah220:
>> attempting authentication as [EMAIL PROTECTED]
>> |Jan 20 11:52:05 login sshd[10303]: [ID 584047 auth.debug] (pam_krb5):
>> cah220:
>> krb5_get_init_creds_password: Password has expired
>> |Jan 20 11:52:05 login sshd[10303]: [ID 584047 auth.debug] (pam_krb5):
>> cah220:
>> <unknown>: exit (failure)
>>
>> For what it's worth, I've got the following in my pam.conf on this box:
>>
>> # grep sshd-kbdint pam.conf
>> sshd-kbdint auth requisite pam_authtok_get.so.1
>> sshd-kbdint auth required pam_dhkeys.so.1
>> sshd-kbdint auth required /tmp/pam_krb5.so.1 debug
>> sshd-kbdint auth optional pam_unix_auth.so.1
>> sshd-kbdint session required /tmp/pam_krb5.so.1 debug
>> #
>>
>> Am I running into SEAM just not supporting "hey bozo, you're password is
>> expired, change it now", or did I hork the configuration somehow.
>>
>> If you want, I can also provide the sshd_config.
>>
>> I appreciate any help you can give with this; I'm still a bit of a
>> novice when it comes to doing anything cute. Along the same lines, is
>> there any way to bounce back something like "Your password is going to
>> expire in n days" during the authentication process? (say only if n <
>> 10). Actually strike that. Is there some easy way to write an app
>> that you'd run from /etc/profile to banner that sort of information? If
>> I were using normal UNIX auth, I could do that relatively easily using
>> the information in the shadow file.
>>
>> --
>> Coy Hile
>> [EMAIL PROTECTED]
>> ________________________________________________
>> Kerberos mailing list Kerberos@mit.edu
>> https://mailman.mit.edu/mailman/listinfo/kerberos
>>
>
>
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
