Subject: Re: pam_ssh for users w/o private keys
To: Christos Zoulas <christos@zoulas.com>
From: Bill Studenmund <wrstuden@netbsd.org>
List: current-users
Date: 06/24/2005 07:59:15
--KsGdsel6WgEHnImy
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Jun 24, 2005 at 08:46:48AM -0400, Christos Zoulas wrote:
> On Jun 23,  7:40pm, wrstuden@netbsd.org (Bill Studenmund) wrote:
> -- Subject: Re: pam_ssh for users w/o private keys
>=20
> | > Did you type your password when it asked for the passphrase? Do you
> | > have try first pass set?
> |=20
> | I had to disable try_first_pass in a lot of lines. Seems our=3D20
> | try_first_pass isn't implemented right, and it acts like use_first_pass=
.=3D20
> | It's supposed to re-ask on failure, but doesn't.
>=20
> Yes, I have been wondering what the correct semantics for it should be.
> If you look in the ssh pam module, it checks and retries. The others don'=
t.

I think the others should check and retry. At least that's what I expected=
=20
from the pam_unix man page:

     try_first_pass  This option is similar to the use_first_pass option,
                     except that if the previously obtained password fails,
                     the user is prompted for another password.

:-)

Take care,

Bill

--KsGdsel6WgEHnImy
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (NetBSD)

iD8DBQFCvB/DWz+3JHUci9cRAte6AJ9KiTtEAKAwogcgs4j4PQg42VAClwCeI57R
hDKccqNbOSGg0qwnD8trS7g=
=MvK2
-----END PGP SIGNATURE-----

--KsGdsel6WgEHnImy--