Regarding PAM_TTY_KLUDGE and Solaris 8...
Kevin Steves
stevesk at pobox.com
Sat Oct 27 06:04:50 EST 2001
On Fri, 26 Oct 2001, Damien Miller wrote:
:The fact that pam_chauthtok was never getting called without a tty
:anyway. Look at the code path in session.c. The do_pam_chauthtok() call
:was only being made for the tty case.
yes, that is a bug.
:If there is a problem, it is that accounts with expired passwords were
:still able to execute commands. Please try the patch below for this.
:
:Index: session.c
:===================================================================
:RCS file: /var/cvs/openssh/session.c,v
:retrieving revision 1.154
:diff -u -r1.154 session.c
:--- session.c 2001/10/12 01:35:51 1.154
:+++ session.c 2001/10/26 01:30:29
:@@ -432,6 +432,9 @@
: #if defined(USE_PAM)
: do_pam_session(s->pw->pw_name, NULL);
: do_pam_setcred(1);
:+ if (is_pam_password_change_required())
:+ packet_disconnect("Password change required but no "
:+ "TTY available");
: #endif /* USE_PAM */
:
: /* Fork the child. */
that works for me on hp-ux 11 and is one way to fix it. i'm not sure if
there is a better way.
More information about the openssh-unix-dev
mailing list