search for: server_policy

...AP. The PAM Configuration for Sun SSH 1.1 is: ==CUT== login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth required pam_dial_auth.so.1 login auth binding pam_unix_auth.so.1 server_policy login auth required pam_ldap.so.1 sshd-password account required pam_mymodule.so.1 sshd-none account required pam_mymodule.so.1 sshd-kbdint account required pam_mymodule.so.1 sshd-pubkey account required pam_mymodule.so.1 sshd-hostbased account re...

...ing access? root at winds06 $ grep -v \# /etc/pam.conf login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth required pam_dial_auth.so.1 login auth binding pam_unix_auth.so.1 server_policy login auth required pam_ldap.so.1 rlogin auth sufficient pam_rhosts_auth.so.1 rlogin auth requisite pam_authtok_get.so.1 rlogin auth required pam_dhkeys.so.1 rlogin auth required pam_unix_cred.so.1 rlogin auth binding pam_unix_auth.so.1 server_po...

...s file in previous releases are still acceptable. # # Authentication management # # login service (explicit because of pam_dial_auth) # login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth required pam_unix_cred.so.1 login auth binding pam_unix_auth.so.1 server_policy debug login auth required pam_ldap.so.1 use_first_pass debug # # rlogin service (explicit because of pam_rhost_auth) # rlogin auth sufficient pam_rhosts_auth.so.1 rlogin auth requisite pam_authtok_get.so.1 rlogin auth required pam_dhkeys.so.1 rlogin auth required pam_unix_cred.so.1 rlogi...

...st, OpenSSH still allows a user to log in, if user authentication method is not keyboard-interactive or password. For example, in /etc/pam.d/other: auth required pam_dhkeys.so.1 auth required pam_do_not_exist.so.1 <----------- bad auth binding pam_unix_auth.so.1 server_policy In the above situation, pam_setcred() does return an error, but server only give a warning and still allow a user to log in if he/she doesn't use keyboard-interacitve user auth. This is not an expected behavior. OpenSSH server should be changed to exit out when pam_setcred() or pam_open_s...

...osed rather than reprompting them for another try. With some PC clients they see nothing which is causing a lot of support calls... Here's the PAM configuration if that matters: sshd auth requisite pam_authtok_get.so.1 sshd auth required pam_dhkeys.so.1 sshd auth sufficient pam_unix_auth.so.1 server_policy sshd auth required pam_ldap.so.1 try_first_pass Is they any way to reprompt the user for another password? Regards, Richard Dickens To find out more about Reuters visit www.about.reuters.com Any views expressed in this message are those of the individual sender, except where the sender specifi...