[PATCH] Password expiry with Privsep and PAM

Darren Tucker dtucker at zip.com.au
Wed Dec 11 06:29:38 EST 2002

Jan-Frode Myklebust wrote:
> Haven't tested this version, but a pretty recent one
> (openssh-3.5p1-passexpire8), and one thing that prevents me from using
> it is that it doesn't honor the password rules defined in /etc/security/user.
> ie. minalpha, minother, minlen, mindiff, etc..
> With your patch the users can choose zero lenght passwords. Not good.

I hadn't considered that.

This patch, however, is entirely separate from the patches you're
referring to (this is now the third series!) and deals only with
do_pam_chauthtok() and privsep.

> Unfortunately I haven't found any AIX library calls that helps here, so I
> think OpenSSH will have to implement these rules, or use the systems
> /bin/passwd which should do the right thing. BTW: why isn't the patch
> using /bin/passwd ?

For an overview of the whole mess, see:

In my other recent message on the subject, I said "the only thing I'm
certain of is everybody wants something different". In this case, the
objection was that the PAM "sshd" and "passwd" services could be
entirely different.


Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list