Password expiry related clarification in OpenSSH3.5p1

Darren Tucker dtucker at
Wed Dec 11 00:09:27 EST 2002

Kevin Steves wrote:
> fyi (i'm behind in following the passord expire efforts).
> ----- Forwarded message from Logu <logsnaath at> -----
> Date: Sat, 7 Dec 2002 02:42:52 +0530
> From: "Logu" <logsnaath at>
> We are using OpenSSH3.1p1 and now planned to shift to OpenSSH3.5p1. Among
> other changes, we would like to know specifically the reasons for the
> commented part of the PAM account expiration part in auth-pam.c.
> Why this part of the code is not used in 3.5p1? Is there any specific
> reasons for not using this part of the code?

That's because it doesn't work with privsep, no?

The bit I don't get is in auth-pam.c:
#if 0
	/* XXX: This would need to be done in the parent process,
	 * but there's currently no way to pass such request. */
	no_port_forwarding_flag &= ~2;
I think that should read "child process", assuming chauthtok is run by
the monitor.

I've done a fair amount of work on various expiry methods, but what I
need is someone to say "do X and the results will be merged".  The only
thing I'm certain of is everybody wants something different.

Some of the patches are at, the
rest can be found in the list archives.

Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list