Reporting back on Sol2.6 and Sol8 with Openssh3.0p1 + PAM

Scott Burch scott.burch at camberwind.com
Fri Nov 9 15:48:34 EST 2001


Hello,

I sucessfully built OpenSSH 3.0p1 on Solaris 2.6 (however PAM and
password aging does not work on 2.6, but it does work on Solaris
8...details are provided below) today with Sun's Forte 6 Update 2. I
made sure all the latest linker patches and Forte patches were applied
as well as any c/c++ library patches were applied. I also applied the
latest  patch.

Details on patches:


Patch-ID# 106271-08
Keywords: security pam_unix.so.1 csh umask nispasswd Passwd_compat
Synopsis: SunOS 5.6: /usr/lib/security/pam_unix.so.1 patch
Date: Sep/17/2001



Patch-ID# 111685-02
Keywords: C++ 5.3 CC 5.3 WS6U2
Synopsis: C++ 5.3: Patch for Forte Developer 6 update 2 C++ compiler
Date: Oct/01/2001


Patch-ID# 111678-04
Keywords: common compiler backend iropt cg libmtsk WS6U2
Synopsis: Compiler Common 6.2: Patch Forte Developer 6 update 2, C++ F77
F95
Date: Oct/01/2001

Compile Options other than --with-pam:

--disable-suid-ssh
--without-rsh
--with-prngd-socket
--with-tcp-wrappers

On Solaris 8 I compiled with the same options.

I created two local accounts on the two servers running OpenSSH 3.0p1. I
set the password on both accounts and did a passwd -f to expire the
passwords. We are required now to enable and enforce password aging
where I work, so this will need to work.

When I login to the Solaris 8 server I get the message that my password
has expired and I am asked to enter my login password. I enter the login
password and things work great! On Solaris 2.6 I get the same message to
enter my login password, but after entering a new password I get the
following:

"Removing root credentials would break the rpc services that use secure
rpc on this host! Root may use key logout -f to do this (at your own
risk)!" I am then disconnected.

(Now I can duplicate this activity on Solaris 8 if I am another user on
one host and connect via ssh to the Solaris 8 box running ssh 3.0p1 as
the user whose password has expired (ssh -l). I presume this is
normal..password changing for the user with an expired password only
works if you are connecting as that user from the remote host?)

I did not do anything with /etc/pam.conf on either host..I am using the
default that came with the system.

So, it appears that password aging and pam do not get along on Solaris
2.6 even with the latest patch? I'll take a closer look at things when I
get in tomorrow morning. If you need further information, want debugger
output...I am willing to compile with debugging, etc.

-Scott





On Thu, 2001-11-08 at 16:08, Mark D. Baushke wrote:
> Hi Scott,
> 
> You may find a problem building under Solaris 2.6 with references to
> 'struct rlimit64' this may be cured by either removing the line
> 
> #define _FILE_OFFSET_BITS 64
> 
> in the config.h file or adding the lines
> 
> /* Define if _FILE_OFFSET_BITS also needs _LARGEFILE64_SOURCE defined */
> #define _LARGEFILE64_SOURCE 1
> 
> to config.h this is due to a bug in the AC_SYS_LARGEFILE macro used in
> configure.ac
> 
> 	Good luck,
> 	-- Mark
> 
> > Message-ID: <009701c16890$d2ad32f0$f24318ac at ent.core.medtronic.com>
> > From: "Scott Burch" <scott.burch at camberwind.com>
> > To: "Ed Phillips" <ed at UDel.Edu>, "Dost, Alexander" <Alexander.Dost at drkw.com>
> > Cc: "OpenSSH Development" <openssh-unix-dev at mindrot.org>
> > References: <Pine.SOL.4.30.0111081432500.25771-100000 at mahler.udel.edu>
> > Subject: Re: sshd can't change expired password on Sol8 with Openssh3.0p1 + PAM
> > Date: Thu, 8 Nov 2001 14:06:16 -0600
> > 
> > Hello,
> > 
> > For Solaris 2.6 the patch is 106271-08 from 9/17/01.  I am about to build on
> > 2.6 and will verify that this works.
> > 
> > -Scott
> > 
> > ----- Original Message -----
> > From: "Ed Phillips" <ed at UDel.Edu>
> > To: "Dost, Alexander" <Alexander.Dost at drkw.com>
> > Cc: "OpenSSH Development" <openssh-unix-dev at mindrot.org>
> > Sent: Thursday, November 08, 2001 1:36 PM
> > Subject: RE: sshd can't change expired password on Sol8 with Openssh3.0p1 +
> > PAM
> > 
> > 
> > > Better Idea Alert!
> > >
> > > Try patch 111659-02 and you don't have to wait for 3 hours (right now)
> > > while the Recommended Patch Set installs.
> > >
> > > Chances are, if there is a problem with pam_unix, this patch fixes it.
> > > The buglist for this patch includes the following:
> > >
> > > 4112707 Password expiration (passwd -f) doesn't work correctly
> > >
> > > Also, if "passwd -f" is really the culprit (puts something in /etc/shadow
> > > that pam_unix.so doesn't like), you can try editing /etc/shadow by hand
> > > and make the entry look like:
> > >
> > > user:<encpw>:1:1:1::::
> > >
> > > Hope this is helps...
> > >
> > > Ed
> > >
> > > On Thu, 8 Nov 2001, Ed Phillips wrote:
> > >
> > > > Date: Thu, 8 Nov 2001 14:26:54 -0500 (EST)
> > > > From: Ed Phillips <ed at udel.edu>
> > > > To: "Dost, Alexander" <Alexander.Dost at drkw.com>
> > > > Cc: openssh-unix-dev at udel.edu
> > > > Subject: RE: sshd can't change expired password on Sol8 with
> > Openssh3.0p1
> > > >     + PAM
> > > >
> > > > The reason I ask about the patches is because I think the problem you're
> > > > seeing might actually be a bug in pam_unix.so.1 - it's something to try
> > at
> > > > least.  We don't use password aging and we don't use the "passwd"
> > command
> > > > to change passwords, so we haven't run into this at our site even though
> > > > we probably don't have pam_unix.so patched up.  Also, the passwd command
> > > > doesn't even work if you have something besides "files", "nis" or "nis+"
> > > > in the passwd line of /etc/nsswitch.conf (which we do).
> > > >
> > > > Ed
> > > >
> > > > Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082
> > > > Systems Programmer III, Network and Systems Services
> > > > finger -l ed at polycut.nss.udel.edu for PGP public key
> > > >
> > > >
> > >
> > > Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082
> > > Systems Programmer III, Network and Systems Services
> > > finger -l ed at polycut.nss.udel.edu for PGP public key
> > >
> > >
> > >
> > 
> 
> 
-- 
Scott Burch
http://www.camberwind.com/




More information about the openssh-unix-dev mailing list