Handling of password & account expirations

Brian Poole raj at cerias.purdue.edu
Tue Jun 5 06:37:41 EST 2001


Quoting Darren Moffat (Darren.Moffat at eng.sun.com) from  4 June 2001:
> >While this no longer applies to OpenBSD now that we have moved to BSD_AUTH I
> >believe this is still an issue with OpenSSH in the portable release, correct?
> >We can't expect {Linux,Solaris,<foobar-os>} to have BSD_AUTH can we?
> 
> It shouldn't be an issue on those systems since OpenSSH (unlike the
> SSH Communications Inc) properly calls pam_acct_mgmt() regardless of
> which type of authentication was used.  On Linux and Solaris the
> password aging is enforced in a PAM module so the correct thing happens on
> these systems when the portable release is compiled with PAM support.

Okay, on Linux and Solaris it appears to be fine. FreeBSD looked good from
a quick test as well but we can't assume that just because some of the OSes 
are okay that they all are. For example, on NetBSD this still works (just
like it did on OpenBSD until last week). A log snippet is included at the
end showing this on a recent snapshot. I assume there are other OSes like
this. Just because the OS does not have PAM installed does not mean that
we should let this door hang open, does it?

-b


fubared# ssh -V
OpenSSH_2.9 NetBSD_Secure_Shell-20010515, SSH protocols 1.5/2.0, OpenSSL 0x0090601f
fubared# userdel -r test
fubared# useradd -m test    
fubared# usermod -f 1 -e"`date +%c`" test
fubared# userinfo test
login   test
passwd  *************
uid     1000
groups  users 
change  Wed Dec 31 19:00:01 1969
class   
gecos   
dir     /home/test
shell   /bin/csh
expire  Mon Jun  4 10:29:53 2001
fubared# passwd test
Changing local password for test.
New password:
Retype new password:
fubared# ssh -l test localhost
test at localhost's password: 
Last login: Mon Jun  4 10:24:42 2001 from localhost
NetBSD 1.5V (GENERIC) #47: Sat May 26 12:20:02 PDT 2001

Welcome to NetBSD!

Spelling is a lossed art.                                               
fubared: {1} 

/* Welp, thats bad.. Respects neither password nor account expiration */

/* Lets verify that they are in fact expired */

fubared# telnet localhost
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
login: test
Password:
Sorry -- your account has expired.



More information about the openssh-unix-dev mailing list