Kumaresh wrote:> Is there a difference in 3.6 and 3.7 implemetaion of ChallengeResponse
> authentication?
Challenge-response hasn't changed much, but the PAM challenge-response 
module was completely replaced between 3.6.1p2 and 3.7p1.
> Also, what is the impact of setting UsePAM yes and no with respect to this
> authentication method and expiry passwords.
For 3.8p1 and up, when a user's password is expired and UsePAM=yes,
if Protocol == 2 and keyboard-interactive auth
	force change via keyboard-interactive
else if PrivSep == no
	force change via pam_chauthtok() at start of sesstion
else
	force change via /usr/bin/passwd in session
With PAM enabled, password expiry is checked for *all* authentication 
types (assuming PAM is configured to do so) since that test is done by 
pam_acct_mgmt(), which needs to be checked for all auth types.
When UsePAM=no, password expiry is checked *only* for password 
authentication, and password change is always done via /usr/bin/passwd.
Note that there is a bug when UsePAM=yes, the user's password is expired 
and challenge-response is not used (see bugzilla #808).
(This is from memory, hopefully I got all the details right :-)
-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.