[Bug 2018] New: sshd not handling PAM_NEW_AUTHTOK_REQD properly

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Tue Jun 12 23:50:27 EST 2012


https://bugzilla.mindrot.org/show_bug.cgi?id=2018

             Bug #: 2018
           Summary: sshd not handling PAM_NEW_AUTHTOK_REQD properly
    Classification: Unclassified
           Product: Portable OpenSSH
           Version: 6.0p1
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: PAM support
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: ssanders at opnet.com


Created attachment 2164
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2164
Zone in auth-pam.c where issue lies.

Near line 482 in auth-pam.c, sshpam_password_change_required(0) is
called.  This will have the effect of preventing PAM_NEW_AUTHTOK_REQD
from being transmitted back to the parent process.  

In turn, this will prevent any password updates from occurring at login
time.

If one comments the line out or changes to
sshpam_password_change_required(1), sshd will prompt for a new user
password and process the password update as anticipated.

This is used to support password expiration.  The normal flow should be
authenticate -> password update -> authenticate using new password.

I've listed 6.0p1 but it is in all versions 5.2p1 and greater.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list