Handling of password & account expirations
Brian Poole
raj at cerias.purdue.edu
Sun Jun 3 13:19:19 EST 2001
Hello,
There has been an annoyance with OpenSSH that has been bugging me
lately. It pays no attention to pw_change and pw_expire fields from the
passwd file for users by default. Thus even if the admin has set a
user's account to expire 5 days ago they can still login. So one might
say, just add 'UseLogin yes' and all of your problems will be solved.
This of course is not a good answer, because as has been noted recently
on the list and is mentioned in the man page, UseLogin does not affect
remote command execution, thus people can still use scp, sftp or just
execute random shell commands.
It would be simplistic to regain access to one's account, even if it was
expired and UseLogin set to yes IMO. A few remote commands and you could
upload an alternate way of logging in with an interactive account. This
defeats the entire purpose of account & password expiration IMO and
should be fixed immediately.
Since no one else has seemed concerned about this when I posted it on
the OpenBSD mailing lists I have written a patch to attempt to address
the problem myself. This has already been submitted to bugs at openbsd
several days ago, but met no response, thus I'm submitting it here as
well (probably proper procedure in the first place).
Patch is available at:
http://www.cerias.purdue.edu/homes/rajak/openbsd/patch_exp-support
The changes are minor, should not add any significant overhead and seem
to be the right thing to do in any case. I would personally like to see
a sshd config option that allowed customizable warning times, which I
added in session.c (very similar to how login does it) with a -fixed-
time (1 week), but I do not want to waste more time writing patches if
they are just going to be ignored.
Looking forward to some response/feedback,
-b
More information about the openssh-unix-dev
mailing list