On Mon, Sep 11, 2000 at 01:30:31PM -0400, Paul Nicholas Faure wrote: > Does OpenSSH support PAM fully ? > OpenSSH does not prompt the user for a new password if it has expired. It > simply says "Warning: You password has expired, please change it now". > > My /etc/pam.d/sshd file is: > auth required /lib/security/pam_securetty.so > auth required /lib/security/pam_unix.so shadow nullok > auth required /lib/security/pam_nologin.so > account required /lib/security/pam_unix.so > password required /lib/security/pam_cracklib.so retry=3 > password required /lib/security/pam_unix.so shadow nullok use_authtok nis > session required /lib/security/pam_unix.so > session optional /lib/security/pam_console.so > > My /etc/pam.d/login file is the same as /etc/pam.d/sshd. And telnet > properly prompts me for a password. I had a patch for OpenSSH 1 that got accepted upstream, and allowed it to check PAM session and account, even during RSA authentication (currently RSA auth bypasses a lot of the normal account locking features). Problem is, it got axed sometime after as "the wrong place for unix account verification". IMO, this is a serious lack in OpenSSH's (and even fsecure's Unix sshd) functionality. -- -----------=======-=-======-=========-----------=====------------=-=------ / Ben Collins -- ...on that fantastic voyage... -- Debian GNU/Linux \ ` bcollins@debian.org -- bcollins@openldap.org -- bcollins@linux.com ' `---=========------=======-------------=-=-----=-===-======-------=--=---'
