[OpenAFS] trouble with pam_krb5

Christopher Allen Wing wingc@engin.umich.edu
Mon, 18 Jul 2005 15:08:07 -0400 (EDT)

On Mon, 18 Jul 2005, Russ Allbery wrote:

>>  	ChallengeResponseAuthentication no
>> in /etc/ssh/sshd_config and see if that fixes your problem?
> This breaks password expiration, or any other PAM dialogs that require
> anything more complex than a simple password prompt.

Yes, but I'm guessing that it was disabled by Red Hat for a reason.

Actually, I think what happens is that it breaks PAM semantics; when 
'keyboard-interactive' is in use, I bet the sshd process starts out as 
root and later demotes to an unprivileged user before it has finished 
making all the PAM calls. This prevents PAM from doing what it needs to 

OpenSSH in RHEL3 does not disable 'ChallengeResponse' in its default 
config, and I have observed the above behavior there. I haven't bothered 
to look at RHEL4, but it would be a simple matter of adding some syslog() 
calls to the pam_krb5 entry points, print out the current uid, gid, etc.