Hello, I've got the following situation: The 6000 accounts of our eMail-server are stored in /etc/passwd resp. /etc/shadow. To change their passwords, the users use a ssh-session. The only object of the ssh-session is to change a users password, therefore the loginshell is /usr/bin/passwd. To avoid attacks on the ssh-daemon, we only want a seperate web-server with a little php-web-page to open the ssh-session. I use apache/php with a php-module called php-ssh2 and a library called libssh2 to establish the ssh-session. This works fine, until it comes to the point, where the old password is sent to /usr/bin/passwd. I get the following screen in /var/log/messages: sshd[]: pam_unix2: pam_sm_authenticate() called sshd[]: pam_unix2: username=[dummy] sshd[]: pam_unix2: pam_sm_authenticate: PAM_SUCCESS sshd[]: pam_unix2: pam_sm_acct_mgmt() called sshd[]: pam_unix2: username=[dummy] sshd[]: pam_unix2: expire() returned with 0 sshd[]: Accepted password for dummy from 192.168.136.50 port 6235 ssh2 sshd[]: pam_unix2: session started for user dummy, service sshd sshd[]: pam_unix2: pam_sm_setcred() called sshd[]: pam_unix2: username=[dummy] sshd[]: pam_unix2: pam_sm_setcred: PAM_SUCCES -passwd[]: pam_unix2: pam_sm_chauthtok() called -passwd[]: pam_unix2: username=[dummy] sshd[]: pam_unix2: pam_sm_setcred() called sshd[]: pam_unix2: username=[dummy] sshd[]: pam_unix2: pam_sm_setcred: PAM_SUCCESS sshd[]: pam_unix2: session finished for user dummy, service sshd -passwd[]: pam_unix2: pam_sm_chauthtok() called -passwd[]: pam_unix2: username=[dummy] -passwd[]: User dummy: Authentication token manipulation error -passwd[]: password change failed, pam error 20 - account=dummy, uid=1000, by=1000 If I use some other tools like gnu-ssh or putty, it all works very well. Is there a difference between the two methods gnu-ssh and PHP-script, which /usr/bin/passwd recognizes, e.g. keyboard-interactive vs. tunneled-cleartext? I think of this, because I had to change some settings in /etc/ssh/sshd-config, to enable tunneled-cleartext authentication: PasswordAuthentication yes enable or disable following in sshd-config has no effect: ChallangeResponseAuthentication no UsePAM yes What does that mean: 'Authentication token manipulation error'? Is it possible to use /usr/bin/passwd with a pipe, like libssh2 does? The PAM configuration is mostly SuSE 10.0 original, except the debug-feature. /etc/pam.d/sshd: auth required pam_env.so debug auth required pam_unix2.so debug auth required pam_nologin.so account required pam_unix2.so debug password required pam_pwcheck.so nullok password required pam_unix2.so nullok use_first_pass use_authtok debug session required pam_limits.so session required pam_unix2.so debug /etc/pam.d/password: auth required pam_env.so debug auth required pam_unix2.so debug account required pam_unix2.so debug password required pam_pwcheck.so nullok password required pam_unix2.so nullok use_first_pass use_authtok debug session required pam_limits.so session required pam_unix2.so debug Versions: Webserver: apache2-2.0.54-10 apache2-mod_php4-4.4.0-6.6 php4-4.4.0-6.6 libssh2-0.12 php-ssh2-0.10 eMailserver (on which password has to be changed): openssh-4.1p1-10 pam-0.80-6 pam-modules-10.0-11.2 Your help is greatly appreciated. Joerg "Jetzt Handykosten senken mit klarmobil - 14 Ct./Min.! Hier klicken" www.klarmobil.de/index.html?pid=73025 _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
