On Mon, Sep 11, 2000 at 09:18:05PM -0500, Michael A. Dietz wrote: > > RSA auth bypasses a lot of the normal account locking features). Problem > > is, it got axed sometime after as "the wrong place for unix account > > verification". > OpenSSH 2.2.0p1 supports ssh1 and 2 protocols. It also properly prompts > for the password in the LATEST release assuming you have set a password > expiration date. > > As for prompting for a password even with RSA authentication, this would > severly break configurations using ssh to copy files and run scripts > automatically (without requiring a password). What if your cron'd remote > mirroring scp fails (for 2 days straight) because your password expired on > a Saturday and it prompts you to change it even though you use RSA key > authentication for your scripts ? I can think of many more examples where > the above would be unwanted. scp does not create an interactive session, so it should be possible for ssh to eschew password change enforcment for non-interactive sessions. this would allow users to avoid it by logging in by ssh host /bin/bash but if they are that stubborn they will find other ways to get out of changing their password. > Maybe OpenSSH should allow you to configure how it controls RSA > authentication and pam (strict or relaxed), but it shouldn't force strict > checking that would break ssh's ability to run automatically. seems to me it would make sense to move the RSA authentication into a PAM module, stack it in as a sufficient. -- Ethan Benson http://www.alaska.net/~erbenson/
Attachment:
pgp00003.pgp
Description: PGP signature
