[PATCH] Password expiry with Privsep and PAM

Jan-Frode Myklebust janfrode at parallab.no
Wed Dec 11 02:01:42 EST 2002

On Tue, Dec 10, 2002 at 11:51:16PM +1100, Darren Tucker wrote:

> 	Attached is a patch that implements password expiry with PAM and
> privsep.  It works by passing a descriptor to the tty to the monitor,
> which sets up a child with that tty as stdin/stdout/stderr, then runs
> chauthtok().  No setuid helpers.
> 	I used some parts of Michael Steffens' patch (bugid #423) to make it
> work on HP-UX.
> 	It's still rough but it works. Tested on Solaris 8 and HPUX 11 (trusted
> configuration).
> 	Comments?

Haven't tested this version, but a pretty recent one
(openssh-3.5p1-passexpire8), and one thing that prevents me from using 
it is that it doesn't honor the password rules defined in /etc/security/user. 
ie. minalpha, minother, minlen, mindiff, etc..

With your patch the users can choose zero lenght passwords. Not good.

Unfortunately I haven't found any AIX library calls that helps here, so I 
think OpenSSH will have to implement these rules, or use the systems
/bin/passwd which should do the right thing. BTW: why isn't the patch
using /bin/passwd ?


More information about the openssh-unix-dev mailing list