On Thu, Dec 17, 2015 at 9:34 AM, Nasim, Kam <Kam.Nasim@xxxxxxxxxxxxx> wrote: > Hi Darren/Damien, > > Sorry for responding so late. Still hope we can get this sorted out. > Yes I am indeed using PAM for ssh authentication and disabling priv seperation is a no-go for us since it opens up a security loophole. > > From what I can see in ptree and auth logs, when the child passwd process returns with SIGCHLD, the parent sshd process terminates. > > Sshd logs are as follows as requested at DEBUG3 verbosity. They indicate the ssh, followed by the password change and finally termination of connection: Despite being asked for them earlier, you still have not provided the full debug logs, which would tell, amongst other things, what version of OpenSSH this is. That said... [...] > Dec 16 22:22:13 knasim-ubuntu1 sshd[8623]: debug1: SELinux support disabled I know of no version of OpenSSH supplied by us that has that message, so I suspect you are using a modified version. > Dec 16 22:22:13 knasim-ubuntu1 sshd[8569]: debug3: PAM: sshpam_passwd_conv called with 1 messages [...] > Dec 16 22:22:24 knasim-ubuntu1 passwd[8624]: pam_unix(passwd:chauthtok): password changed for nasim This is working exactly as I described in option #2 earlier: password authentication followed by execing /bin/passwd. Your other option is what I described in #1: Disable PasswordAuthentication in sshd_config and use ChallengeResponseAuthentication/KbdInteractiveAuthentication. > Dec 16 22:22:24 knasim-ubuntu1 sshd[8623]: debug1: Received SIGCHLD. [...] > Let me know what you guys think. I think it is working as intended. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev