Subject: Re: pam_ssh for users w/o private keys
To: Christos Zoulas <>
From: Bill Studenmund <>
List: current-users
Date: 06/24/2005 07:59:15
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Jun 24, 2005 at 08:46:48AM -0400, Christos Zoulas wrote:
> On Jun 23,  7:40pm, (Bill Studenmund) wrote:
> -- Subject: Re: pam_ssh for users w/o private keys
> | > Did you type your password when it asked for the passphrase? Do you
> | > have try first pass set?
> |=20
> | I had to disable try_first_pass in a lot of lines. Seems our=3D20
> | try_first_pass isn't implemented right, and it acts like use_first_pass=
> | It's supposed to re-ask on failure, but doesn't.
> Yes, I have been wondering what the correct semantics for it should be.
> If you look in the ssh pam module, it checks and retries. The others don'=

I think the others should check and retry. At least that's what I expected=
from the pam_unix man page:

     try_first_pass  This option is similar to the use_first_pass option,
                     except that if the previously obtained password fails,
                     the user is prompted for another password.


Take care,


Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.2.3 (NetBSD)