Harald Dunkel <[email protected]> writes:
> Package: libpam-krb5
> Version: 4.5-4
> The passwd module should tell whose password it asks for.
It intentionally doesn't do this by default (and will not do this by
default) because it actually breaks some ssh clients and some people
consider it a security leak. However, it's easy to turn it on in your
local configuration if you want to. It's the expose_account option:
expose_account
By default, the Kerberos PAM module password prompt is simply
"Password:". This avoids leaking any information about the system
realm or account to principal conversions. If this option is set,
the string "for <principal>" is added before the colon, where
<principal> is the user's principal. This string is also added
before the colon on prompts when changing the user's password.
Enabling this option with ChallengeResponseAuthentication enabled
in OpenSSH may cause problems for some ssh clients that only
recognize "Password:" as a prompt. This option is automatically
disabled if search_k5login is enabled since the principal displayed
would be inaccurate.
This option can be set in krb5.conf and is only applicable to the
auth and password groups.
--
Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/>
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
