On Mon, 18 Jul 2005, Russ Allbery wrote:

        ChallengeResponseAuthentication no

in /etc/ssh/sshd_config and see if that fixes your problem?

This breaks password expiration, or any other PAM dialogs that require
anything more complex than a simple password prompt.

Yes, but I'm guessing that it was disabled by Red Hat for a reason.


Actually, I think what happens is that it breaks PAM semantics; when 'keyboard-interactive' is in use, I bet the sshd process starts out as root and later demotes to an unprivileged user before it has finished making all the PAM calls. This prevents PAM from doing what it needs to do.

OpenSSH in RHEL3 does not disable 'ChallengeResponse' in its default config, and I have observed the above behavior there. I haven't bothered to look at RHEL4, but it would be a simple matter of adding some syslog() calls to the pam_krb5 entry points, print out the current uid, gid, etc.


-Chris
[EMAIL PROTECTED]
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Reply via email to