Patch for changing expired passwords

Wed Oct 17 01:57:26 EST 2001

On Tue, Oct 16, 2001 at 10:44:20AM +0200, Markus Friedl wrote:
> On Mon, Oct 15, 2001 at 01:00:54PM -0500, Dave Dykstra wrote:
> > +		if (s->ttyfd != -1) {
> > +			msg = "Password for %.100s has expired, running 'passwd' to reset it";
> > +			/*
> > +			 * Can't pass "user" to 'passwd' because Linux doesn't
> > +			 * allow it.
> > +			 * Also, the prompt is friendlier without "user".
> > +			 */
> > +			command = PASSWD_PATH;
> 
> i'd prefer to move this to do_child and call packet_disconnect() if
> no tty is available.


packet_disconnect() is definitely the way to go for the error case, I'm
embarrassed that I didn't figure that out before.

However, I tried moving the forced_passwd_change code to do_child() and it
didn't work because do_exec_pty() (via do_login()/check_quiet_login()) does
different things depending on whether or not command is NULL.

Meanwhile it has occurred to me that I can further simplify the patch by
just running "passwd" out of the default $PATH rather than using a
configure.in macro to find it.  This should also make it easier to accept
most of the patch into native OpenSSH, if you've got another use for it
there.

- Dave Dykstra

--- auth.c.O	Fri Oct 12 14:42:38 2001
+++ auth.c	Tue Oct 16 11:18:36 2001
@@ -49,6 +49,9 @@
 #include "uidswap.h"
 #include "tildexpand.h"
 
+/* set when password has expired */
+int forced_passwd_change = 0;
+
 /* import */
 extern ServerOptions options;
 
@@ -90,7 +93,7 @@
 		/* Check password expiry */
 		if ((spw->sp_lstchg >= 0) && (spw->sp_max >= 0) &&
 		    (days > (spw->sp_lstchg + spw->sp_max)))
-			return 0;
+			forced_passwd_change = 1;
 	}
 #else
 	/* Shouldn't be called if pw is NULL, but better safe than sorry... */
--- auth.h.O	Thu Aug 23 13:18:52 2001
+++ auth.h	Fri Oct 12 15:00:10 2001
@@ -40,6 +40,9 @@
 #include <krb5.h>
 #endif
 
+/* set when password has expired */
+extern int forced_passwd_change;
+
 typedef struct Authctxt Authctxt;
 typedef struct KbdintDevice KbdintDevice;
 
--- session.c.O	Fri Oct 12 14:42:41 2001
+++ session.c	Tue Oct 16 11:15:48 2001
@@ -656,7 +656,21 @@
 void
 do_exec(Session *s, const char *command)
 {
-	if (forced_command) {
+	if (forced_passwd_change) {
+		char *user = s->pw->pw_name;
+		char *msg;
+
+		if (s->ttyfd == -1) {
+			packet_disconnect("Password for %.100s has expired and cannot be changed without a pty", user);
+			return;
+		}
+
+		msg = "Password for %.100s has expired, running 'passwd' to reset it";
+		command = "passwd";
+		log(msg, user);
+		packet_send_debug(msg, user);
+
+	} else if (forced_command) {
 		original_command = command;
 		command = forced_command;
 		debug("Forced command '%.900s'", command);

