On Mon, 11 Sep 2000, Ben Collins wrote: > On Mon, Sep 11, 2000 at 01:30:31PM -0400, Paul Nicholas Faure wrote: > > Does OpenSSH support PAM fully ? > > OpenSSH does not prompt the user for a new password if it has expired. It > > simply says "Warning: You password has expired, please change it now". > > > > My /etc/pam.d/sshd file is: > > auth required /lib/security/pam_securetty.so > > auth required /lib/security/pam_unix.so shadow nullok > > auth required /lib/security/pam_nologin.so > > account required /lib/security/pam_unix.so > > password required /lib/security/pam_cracklib.so retry=3 > > password required /lib/security/pam_unix.so shadow nullok use_authtok nis > > session required /lib/security/pam_unix.so > > session optional /lib/security/pam_console.so > > > > My /etc/pam.d/login file is the same as /etc/pam.d/sshd. And telnet > > properly prompts me for a password. > > I had a patch for OpenSSH 1 that got accepted upstream, and allowed it to > check PAM session and account, even during RSA authentication (currently > RSA auth bypasses a lot of the normal account locking features). Problem > is, it got axed sometime after as "the wrong place for unix account > verification". OpenSSH 2.2.0p1 supports ssh1 and 2 protocols. It also properly prompts for the password in the LATEST release assuming you have set a password expiration date. As for prompting for a password even with RSA authentication, this would severly break configurations using ssh to copy files and run scripts automatically (without requiring a password). What if your cron'd remote mirroring scp fails (for 2 days straight) because your password expired on a Saturday and it prompts you to change it even though you use RSA key authentication for your scripts ? I can think of many more examples where the above would be unwanted. Maybe OpenSSH should allow you to configure how it controls RSA authentication and pam (strict or relaxed), but it shouldn't force strict checking that would break ssh's ability to run automatically. > IMO, this is a serious lack in OpenSSH's (and even fsecure's Unix sshd) > functionality. > > ---------------- Running on Linux 2.4 Michael A. Dietz mad099@dietznet.net
