On Mon, 11 Sep 2000, Ethan Benson wrote: > On Mon, Sep 11, 2000 at 09:18:05PM -0500, Michael A. Dietz wrote: > > > RSA auth bypasses a lot of the normal account locking features). Problem > > > is, it got axed sometime after as "the wrong place for unix account > > > verification". > > OpenSSH 2.2.0p1 supports ssh1 and 2 protocols. It also properly prompts > > for the password in the LATEST release assuming you have set a password > > expiration date. > > > > As for prompting for a password even with RSA authentication, this would > > severly break configurations using ssh to copy files and run scripts > > automatically (without requiring a password). What if your cron'd remote > > mirroring scp fails (for 2 days straight) because your password expired on > > a Saturday and it prompts you to change it even though you use RSA key > > authentication for your scripts ? I can think of many more examples where > > the above would be unwanted. > > scp does not create an interactive session, so it should be possible > for ssh to eschew password change enforcment for non-interactive sessions. > > this would allow users to avoid it by logging in by ssh host /bin/bash > but if they are that stubborn they will find other ways to get out of > changing their password. This sounds acceptable, most users don't even know how to change there password manually (this is why I want it to prompt automatically) let alone discover this hack. > > Maybe OpenSSH should allow you to configure how it controls RSA > > authentication and pam (strict or relaxed), but it shouldn't force strict > > checking that would break ssh's ability to run automatically. > > seems to me it would make sense to move the RSA authentication into a > PAM module, stack it in as a sufficient. This would also be a good solution. What is involved in creating a PAM module ? How easy is it ? -- Paul Faure paul@paulfaure.com Carleton University Systems Engineer 3rd Year paul@porkchop.org Engsoc Admin/BOG Technical Director paul@engsoc.org
