How to prevent sshd betraying hostname?

kc9udx

When connecting to sshd, I am prompted
(user@server) Password for user@realserver.domain:
where server is what the client calls the server but realserver.domain are the real hostname and domainname from the server.
I am using pam, and I presume that pam generates this prompt. How can I change it so that the prompt does not reveal the hostname (and domainname)?

rvp

kc9udx How can I change it so that the prompt does not reveal the hostname (and domainname)?

A bit obscure, but mentioned here.

qemu# diff -u /etc/pam.d/sshd.orig /etc/pam.d/sshd
--- /etc/pam.d/sshd.orig	2025-02-02 15:05:07.000000000 +0000
+++ /etc/pam.d/sshd	2025-02-11 22:24:56.642798062 +0000
@@ -10,7 +10,7 @@
 auth		optional	pam_afslog.so	no_warn try_first_pass
 # pam_ssh has potential security risks.  See pam_ssh(8).
 #auth		sufficient	pam_ssh.so	no_warn try_first_pass
-auth		required	pam_unix.so	no_warn try_first_pass
+auth		required	pam_unix.so	no_warn try_first_pass authtok_prompt="Ehh...what's up, Doc? "
 
 # account
 #account	required	pam_krb5.so
qemu#

kc9udx

~~I did try that first; but it seems to have no effect. Perhaps you can spot if I did something wrong:~~

# $NetBSD: sshd,v 1.9.76.1 2023/06/21 21:33:02 martin Exp $
#
# PAM configuration for the "sshd" service
#

# auth
auth            required        pam_nologin.so  no_warn authok_prompt="Try 2 ? "
auth            sufficient      pam_skey.so     no_warn try_first_pass
#auth           sufficient      pam_krb5.so     no_warn try_first_pass
auth            optional        pam_afslog.so   no_warn try_first_pass
# pam_ssh has potential security risks.  See pam_ssh(8).
#auth           sufficient      pam_ssh.so      no_warn try_first_pass
auth            required        pam_unix.so     no_warn try_first_pass authok_prompt="Try? "

# account
#account        required        pam_krb5.so
account         required        pam_login_access.so
account         required        pam_unix.so

# session
# pam_ssh has potential security risks.  See pam_ssh(8).
#session        optional        pam_ssh.so
session         required        pam_permit.so

# password
#password       sufficient      pam_krb5.so     no_warn try_first_pass
password        required        pam_unix.so     no_warn try_first_pass

Alright... Nefermind... It was a stupid spelling error on my part the whole time.