[Bug 2018] New: sshd not handling PAM_NEW_AUTHTOK_REQD properly
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Tue Jun 12 23:50:27 EST 2012
https://bugzilla.mindrot.org/show_bug.cgi?id=2018
Bug #: 2018
Summary: sshd not handling PAM_NEW_AUTHTOK_REQD properly
Classification: Unclassified
Product: Portable OpenSSH
Version: 6.0p1
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: PAM support
AssignedTo: unassigned-bugs at mindrot.org
ReportedBy: ssanders at opnet.com
Created attachment 2164
--> https://bugzilla.mindrot.org/attachment.cgi?id=2164
Zone in auth-pam.c where issue lies.
Near line 482 in auth-pam.c, sshpam_password_change_required(0) is
called. This will have the effect of preventing PAM_NEW_AUTHTOK_REQD
from being transmitted back to the parent process.
In turn, this will prevent any password updates from occurring at login
time.
If one comments the line out or changes to
sshpam_password_change_required(1), sshd will prompt for a new user
password and process the password update as anticipated.
This is used to support password expiration. The normal flow should be
authenticate -> password update -> authenticate using new password.
I've listed 6.0p1 but it is in all versions 5.2p1 and greater.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list