[PATCH] Password expiry with Privsep and PAM

Darren Tucker dtucker at zip.com.au
Wed Dec 11 06:29:38 EST 2002


Jan-Frode Myklebust wrote:
> Haven't tested this version, but a pretty recent one
> (openssh-3.5p1-passexpire8), and one thing that prevents me from using
> it is that it doesn't honor the password rules defined in /etc/security/user.
> ie. minalpha, minother, minlen, mindiff, etc..
>
> With your patch the users can choose zero lenght passwords. Not good.

I hadn't considered that.

This patch, however, is entirely separate from the patches you're
referring to (this is now the third series!) and deals only with
do_pam_chauthtok() and privsep.

> Unfortunately I haven't found any AIX library calls that helps here, so I
> think OpenSSH will have to implement these rules, or use the systems
> /bin/passwd which should do the right thing. BTW: why isn't the patch
> using /bin/passwd ?

For an overview of the whole mess, see:
http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=103658633821391&w=2

In my other recent message on the subject, I said "the only thing I'm
certain of is everybody wants something different". In this case, the
objection was that the PAM "sshd" and "passwd" services could be
entirely different.

http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=103666384931272&w=2

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.



More information about the openssh-unix-dev mailing list