Displaying 1 result from an estimated 1 matches for "pw_exp_in_auth".
2002 Mar 26
2
SSH / PAM / Kerberos / password aging
...assword changing and instead the work is relegated till the TTY
session is setup. By then the login process has begun and the user even
has a UTMP entry.
To make matters worse, OpenSSH calls pam_setcred() before
pam_chauthtok(). Clearly that is wrong.
Our PAM_KRB5 module has a module option "pw_exp_in_auth" which causes it
to do the password aging prompting in pam_krb5:pam_sm_authenticate().
Using this option with the "sshd" PAM service causes password aging to
be performed over the kbd-interactive protocol. Good? Bad? I say "good."
Nico
--
-DISCLAIMER: an automatically app...