Handling of password & account expirations

Kevin Steves stevesk at pobox.com
Tue Jun 5 13:32:19 EST 2001


On Mon, 4 Jun 2001, Brian Poole wrote:
:Quoting Darren Moffat (Darren.Moffat at eng.sun.com) from  4 June 2001:
:> >While this no longer applies to OpenBSD now that we have moved to BSD_AUTH I
:> >believe this is still an issue with OpenSSH in the portable release, correct?
:> >We can't expect {Linux,Solaris,<foobar-os>} to have BSD_AUTH can we?

a portable BSD auth would be interesting, particularly if it shrinks the
diff with openbsd openssh.  i don't see why we can't do this.

:> It shouldn't be an issue on those systems since OpenSSH (unlike the
:> SSH Communications Inc) properly calls pam_acct_mgmt() regardless of
:> which type of authentication was used.  On Linux and Solaris the
:> password aging is enforced in a PAM module so the correct thing happens on
:> these systems when the portable release is compiled with PAM support.

and hp-ux 11.X.

:Okay, on Linux and Solaris it appears to be fine. FreeBSD looked good from
:a quick test as well but we can't assume that just because some of the OSes
:are okay that they all are. For example, on NetBSD this still works (just
:like it did on OpenBSD until last week). A log snippet is included at the
:end showing this on a recent snapshot. I assume there are other OSes like
:this. Just because the OS does not have PAM installed does not mean that
:we should let this door hang open, does it?

as i recall, freebsd has integrated a patch for this for a while (since at
least last summer when i looked).

yes it is an issue, but i think the answer may be a portable BSD auth.




More information about the openssh-unix-dev mailing list