A bug in openssh-2.2.0-p1
Pavel Troller
patrol at omni.sinus.cz
Sun Sep 3 02:59:01 EST 2000
Hello!
Today I've found, downloaded and compiled openssh-2.2.0-p1. It basically worked, except that users
other than root were not allowed to login. My system is a Linux-2.4.0-test7 with glibc-2.1.3. No PAM
is installed/used. It uses MD5 passwords and shadow with account expiration feature.
In handling of the latter, a probable bug was found. In auth.c, allowed_user(), there is a
code at the line 73, saying
...
/* Check password expiry */
if ((spw->sp_lstchg > 0) && (spw->sp_inact > 0) &&
(days > (spw->sp_lstchg + spw->sp_inact)))
return 0;
}
...
In my opinion, this is wrong. sp_inact tells how long the account may remain inactive until it is
locked, measured from the last login time. It is set to 30 days for all users on my system.
To add the date of last password change to this value is meaningless and this test fails for all
my users.
On the other hand, there is a sp_max entry, stating maximum number of days between password
changes. This is the right value for us. So I changed the code to be as follows:
/* Check password expiry */
if ((spw->sp_lstchg > 0) && (spw->sp_max > 0) &&
(days > (spw->sp_lstchg + spw->sp_max)))
return 0;
}
And from that, all works well and all users are correctly permitted to login.
I'm not sending a patch because I think it's more easy to edit the source by hand than to apply
a patch on it, in that case.
With regards,
Pavel Troller
More information about the openssh-unix-dev
mailing list