sshd can't change expired password on Sol8 with Openssh3.0p1 + PAM

Ed Phillips ed at UDel.Edu
Sat Nov 10 03:23:27 EST 2001 

On Fri, 9 Nov 2001, Dost, Alexander wrote:

> Date: Fri, 9 Nov 2001 10:29:40 +0100
> From: "Dost, Alexander" <Alexander.Dost at drkw.com>
> To: Ed Phillips <ed at UDel.Edu>
> Cc: OpenSSH Development <openssh-unix-dev at mindrot.org>,
>      "'sproba1 at llnl.gov'" <sproba1 at llnl.gov>
> Subject: RE: sshd can't change expired password on Sol8 with Openssh3.0p1
>      + PAM
>
> Putting together what various testing produced:
> The problem is indeed the passwd -f command. It puts a zero into the lastchg
> field and this is never changed thereafter... pam_unix.so crashes and is not
> able to handle the zero-field.
> If you change /etc/shadow according to the below mentioned scheme
> "name:<passwd>:1:1:1", everything works fine.

GOOD JOB!

That solves the problem on Sol2.6 too!

So, the question is, are you running patch 111659-02 on your Sol8 box? if
not, then install it and see if it fixes the "passwd -f" problem.  If you
ARE running 111659-02, then I not sure what is going on - Scott and I are
running it and "passwd -f" works for us on Sol8.

Now the big question is: why doesn't 106271-08 doesn't fix the problem on
Sol2.6?  The "passwd -f" problem is bug ID 4112707, by the way.

> The only problem is that after login the other fields are not updated. The
> lastchg field is set correct, but the other (min/max/warn) are left alone
> pointing to
> '1' so after one day you will supposedly be asked again to change. But this
> is another problem, I think when you manually change these files.

Yes... that's a problem - but only for users not set up for passwd
expiration.  You have to edit /etc/shadow again and delete the min/max
fields or the bogus policy you put in by hand will keep enforcing.  I
think this is a bug - "passwd -f" should allow (or some other switch) the
sysadmin to force a password change without affecting the expiration
policy at all, and "passwd -f" doesn't preserve the existing expiration
policy.

To manually force a password change without changing the expire policy for
an account which has valid min/max fields, just change the lastchg field
to "1" and leave the other fields alone.  A password change will be
required the next time they login, and then again in another max days.

>
> Thanks all for the help

No problem!

	Ed

Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082
Systems Programmer III, Network and Systems Services
finger -l ed at polycut.nss.udel.edu for PGP public key

More information about the openssh-unix-dev mailing list