[PATCH] Password expiry with Privsep and PAM

Ben Lindstrom mouring at etoh.eviladmin.org
Wed Dec 11 04:11:01 EST 2002


On Tue, 10 Dec 2002, Jan-Frode Myklebust wrote:

[..]
> Haven't tested this version, but a pretty recent one
> (openssh-3.5p1-passexpire8), and one thing that prevents me from using
> it is that it doesn't honor the password rules defined in /etc/security/user.
> ie. minalpha, minother, minlen, mindiff, etc..
>
> With your patch the users can choose zero lenght passwords. Not good.
>
> Unfortunately I haven't found any AIX library calls that helps here, so I
> think OpenSSH will have to implement these rules, or use the systems
> /bin/passwd which should do the right thing. BTW: why isn't the patch
> using /bin/passwd ?
>

 /bin/passwd can be used for v1, but if one is to honor v2 specs password
change must be done before the interactive shell is started so it makes it
harder to handle password change via /bin/passwd unless you can come up
with a clean silver bullet that passes all information back to the user no
matter how badly written/formated the /bin/passwd is.

I know Darren wrote one to use /bin/passwd but after we both looked at it
we pretty much decided it was not something we wanted to handle, but the
more I think about this.. the more I'm starting to agree with Markus.  No
matter the additional risks of changing passwords after the tty for v1 and
v2 has been open it should be done that way.  This is just getting way to
complex to even manage in my head.


Then we just block non-interactive sessions with 'must change password'
commentary  (Public keys?!?).

- Ben





More information about the openssh-unix-dev mailing list