sshd can't change expired password on Sol8 with Openssh3.0p1 + PAM

Dost, Alexander Alexander.Dost at drkw.com
Fri Nov 9 20:29:40 EST 2001 

Putting together what various testing produced:
The problem is indeed the passwd -f command. It puts a zero into the lastchg
field and this is never changed thereafter... pam_unix.so crashes and is not
able to handle the zero-field.
If you change /etc/shadow according to the below mentioned scheme
"name:<passwd>:1:1:1", everything works fine.
The only problem is that after login the other fields are not updated. The
lastchg field is set correct, but the other (min/max/warn) are left alone
pointing to 
'1' so after one day you will supposedly be asked again to change. But this
is another problem, I think when you manually change these files.

Thanks all for the help

Alex


> -----Original Message-----
> From:	Mark D. Baushke [SMTP:mdb at juniper.net]
> Sent:	Thursday, November 08, 2001 22:09
> To:	Scott Burch
> Cc:	Ed Phillips; Dost,     Alexander; OpenSSH Development
> Subject:	Re: sshd can't change expired password on Sol8 with
> Openssh3.0p1 + PAM 
> 
> Hi Scott,
> 
> You may find a problem building under Solaris 2.6 with references to
> 'struct rlimit64' this may be cured by either removing the line
> 
> #define _FILE_OFFSET_BITS 64
> 
> in the config.h file or adding the lines
> 
> /* Define if _FILE_OFFSET_BITS also needs _LARGEFILE64_SOURCE defined */
> #define _LARGEFILE64_SOURCE 1
> 
> to config.h this is due to a bug in the AC_SYS_LARGEFILE macro used in
> configure.ac
> 
> 	Good luck,
> 	-- Mark
> 
> > Message-ID: <009701c16890$d2ad32f0$f24318ac at ent.core.medtronic.com>
> > From: "Scott Burch" <scott.burch at camberwind.com>
> > To: "Ed Phillips" <ed at UDel.Edu>, "Dost, Alexander"
> <Alexander.Dost at drkw.com>
> > Cc: "OpenSSH Development" <openssh-unix-dev at mindrot.org>
> > References: <Pine.SOL.4.30.0111081432500.25771-100000 at mahler.udel.edu>
> > Subject: Re: sshd can't change expired password on Sol8 with
> Openssh3.0p1 + PAM
> > Date: Thu, 8 Nov 2001 14:06:16 -0600
> > 
> > Hello,
> > 
> > For Solaris 2.6 the patch is 106271-08 from 9/17/01.  I am about to
> build on
> > 2.6 and will verify that this works.
> > 
> > -Scott
> > 
> > ----- Original Message -----
> > From: "Ed Phillips" <ed at UDel.Edu>
> > To: "Dost, Alexander" <Alexander.Dost at drkw.com>
> > Cc: "OpenSSH Development" <openssh-unix-dev at mindrot.org>
> > Sent: Thursday, November 08, 2001 1:36 PM
> > Subject: RE: sshd can't change expired password on Sol8 with
> Openssh3.0p1 +
> > PAM
> > 
> > 
> > > Better Idea Alert!
> > >
> > > Try patch 111659-02 and you don't have to wait for 3 hours (right now)
> > > while the Recommended Patch Set installs.
> > >
> > > Chances are, if there is a problem with pam_unix, this patch fixes it.
> > > The buglist for this patch includes the following:
> > >
> > > 4112707 Password expiration (passwd -f) doesn't work correctly
> > >
> > > Also, if "passwd -f" is really the culprit (puts something in
> /etc/shadow
> > > that pam_unix.so doesn't like), you can try editing /etc/shadow by
> hand
> > > and make the entry look like:
> > >
> > > user:<encpw>:1:1:1::::
> > >
> > > Hope this is helps...
> > >
> > > Ed
> > >
> > > On Thu, 8 Nov 2001, Ed Phillips wrote:
> > >
> > > > Date: Thu, 8 Nov 2001 14:26:54 -0500 (EST)
> > > > From: Ed Phillips <ed at udel.edu>
> > > > To: "Dost, Alexander" <Alexander.Dost at drkw.com>
> > > > Cc: openssh-unix-dev at udel.edu
> > > > Subject: RE: sshd can't change expired password on Sol8 with
> > Openssh3.0p1
> > > >     + PAM
> > > >
> > > > The reason I ask about the patches is because I think the problem
> you're
> > > > seeing might actually be a bug in pam_unix.so.1 - it's something to
> try
> > at
> > > > least.  We don't use password aging and we don't use the "passwd"
> > command
> > > > to change passwords, so we haven't run into this at our site even
> though
> > > > we probably don't have pam_unix.so patched up.  Also, the passwd
> command
> > > > doesn't even work if you have something besides "files", "nis" or
> "nis+"
> > > > in the passwd line of /etc/nsswitch.conf (which we do).
> > > >
> > > > Ed
> > > >
> > > > Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082
> > > > Systems Programmer III, Network and Systems Services
> > > > finger -l ed at polycut.nss.udel.edu for PGP public key
> > > >
> > > >
> > >
> > > Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082
> > > Systems Programmer III, Network and Systems Services
> > > finger -l ed at polycut.nss.udel.edu for PGP public key
> > >
> > >
> > >
> >

More information about the openssh-unix-dev mailing list