[OpenAFS] trouble with pam_krb5
Christopher Allen Wing
wingc@engin.umich.edu
Mon, 18 Jul 2005 15:08:07 -0400 (EDT)
On Mon, 18 Jul 2005, Russ Allbery wrote:
>> ChallengeResponseAuthentication no
>
>> in /etc/ssh/sshd_config and see if that fixes your problem?
>
> This breaks password expiration, or any other PAM dialogs that require
> anything more complex than a simple password prompt.
Yes, but I'm guessing that it was disabled by Red Hat for a reason.
Actually, I think what happens is that it breaks PAM semantics; when
'keyboard-interactive' is in use, I bet the sshd process starts out as
root and later demotes to an unprivileged user before it has finished
making all the PAM calls. This prevents PAM from doing what it needs to
do.
OpenSSH in RHEL3 does not disable 'ChallengeResponse' in its default
config, and I have observed the above behavior there. I haven't bothered
to look at RHEL4, but it would be a simple matter of adding some syslog()
calls to the pam_krb5 entry points, print out the current uid, gid, etc.
-Chris
wingc@engin.umich.edu