Attached is a patch that allows for an interactive Kerberos password
change via keyboard-interactive, and also reports any banners received
from krb5_g_i_c_p() (e.g., password expiration notification if you have
krb5-1.2.x patched appropriately).
This could probably be refactored a bit and probably done better, but
I'm sending this in in case anyone finds it useful.
The major drawback is that it doesn't work under privsep, due to the
chroot jail. I tried adding the necessary files under /var/empty and
was able to get the password change to work, but then authentication
itself still fails (in auth_krb5_password_via_kbd_int:krb5_kuserok(),
possibly due to the absence of <chroot>/etc/.name_service_door).
Does anyone know if it's architecturally possible to get this code to
work under privsep, or rather, out from under privsep? Privsep is
a bit difficult to debug, but I'll keep plugging away if need be.
(Note, this patch is against 3.5p1, but the same problem happens when
3.6p1 is patched with it).
----------------------------------------------------------------------
| Jim Hranicky, Senior SysAdmin UF/CISE Department |
| E314D CSE Building Phone (352) 392-1499 |
| jfh at cise.ufl.edu http://www.cise.ufl.edu/~jfh |
----------------------------------------------------------------------
"Given a choice between a complex, difficult-to-understand, disconcerting
explanation and a simplistic, comforting one, many prefer simplistic
comfort if it's remotely plausible, especially if it involves blaming
someone else for their problems."
-- Bob Lewis, _Infoworld_
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: openssh-3.5p1.krb5-kbdint.patch.txt
Url:
http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030422/0a86522e/attachment.txt