[356] in athena10
Re: update_server and remote access
daemon@ATHENA.MIT.EDU (Xavid)
Fri Aug 1 12:44:48 2008
Cc: Quentin Smith <quentin@mit.edu>, Timothy G Abbott <tabbott@mit.edu>,
athena10@mit.edu
Message-Id: <04AE250D-2315-4D34-BAC3-C729860568F2@mit.edu>
From: Xavid <xavid@MIT.EDU>
To: Jonathan Reed <jdreed@mit.edu>
In-Reply-To: <06E8DBF5-504A-4D01-8FEC-EB19FDE168DB@mit.edu>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v926)
Date: Fri, 1 Aug 2008 12:44:02 -0400
My understanding is that the first prompt is generated by a PAM module
checking for a local Unix password. pam_krb5's use_first_pass option
causes the same password to be checked against Kerberos if it isn't a
valid local password. If that fails, pam_krb5 generates a Kerberos-
style prompt to allow the user to try again, which I believe accepts
only a Kerberos password.
This behavior is pretty harmless, but we could possibly changing it by
modifying the PAM configuration. It's the specified behavior of our
current PAM configuration, so potentially we'd want to figure out what
ideal behavior is and then see if we can change our configuration to
have that behavior.
~Xavid
On 2008/08/01, at 12:25, Jonathan Reed wrote:
> "PasswordAuthentication" is set to "no".
>
> And anyway, it is accepted my Kerberos password at the first
> prompt. It's just weird that if I hit enter at the Password prompt
> (supplying a null password, essentially), the next prompt is for my
> kerberos principal.
>
> Most users are unlikely to encounter this, so if it's a known bug
> that will eventually get fixed, then that's fine.
>
> -Jon
>
> On Aug 1, 2008, at 12:19 PM, Quentin Smith wrote:
>
>> Is it possible that the ssh server has "PasswordAuthentication
>> yes", so the SSH server is first prompting for a password, and then
>> falling through to PAM authentication?
>>
>> --Quentin
>>
>> On Fri, 1 Aug 2008, Timothy G Abbott wrote:
>>
>>> On Fri, 1 Aug 2008, Jonathan Reed wrote:
>>>
>>>> - When I ssh to an Athena 10 machine, ssh first prompts for
>>>> "Password:". If I (accidentally, for example) simply hit Return,
>>>> it then prompts for "Password for jdreed@ATHENA.MIT.EDU:"
>>>> Presumably that's a result of PAM stacking, but it's a weird and
>>>> potentially confusing behavior, especially since the first prompt
>>>> will happily accept the user's Kerberos password. It's a minor
>>>> thing, but is there any way around that?
>>>
>>> The use_first_pass option to pam_krb5 (which we use) is supposed
>>> to do this (see pam_krb5(5) for details), but it does seem it
>>> behaves as desired.
>>>
>>> -Tim Abbott
>>>
>>>
>>>
>
