[PATCH] Password expiry with Privsep and PAM

Darren Tucker dtucker at zip.com.au
Wed Dec 11 06:50:36 EST 2002

Ben Lindstrom wrote:
> On Tue, 10 Dec 2002, Jan-Frode Myklebust wrote:
> > Unfortunately I haven't found any AIX library calls that helps here, so I
> > think OpenSSH will have to implement these rules, or use the systems
> > /bin/passwd which should do the right thing. BTW: why isn't the patch
> > using /bin/passwd ?
>  /bin/passwd can be used for v1, but if one is to honor v2 specs password
> change must be done before the interactive shell is started so it makes it
> harder to handle password change via /bin/passwd unless you can come up
> with a clean silver bullet that passes all information back to the user no
> matter how badly written/formated the /bin/passwd is.

As Ben said, using /bin/passwd in v2's (pre-session) PASSWD_CHANGEREQ
requires writing expect-like functionality that would be very hard to
get right across all platforms.

> I know Darren wrote one to use /bin/passwd but after we both looked at it
> we pretty much decided it was not something we wanted to handle, but the
> more I think about this.. the more I'm starting to agree with Markus.  No
> matter the additional risks of changing passwords after the tty for v1 and
> v2 has been open it should be done that way.  This is just getting way to
> complex to even manage in my head.

Ironically, this is more or less where I started a couple of months ago
on AIX.

I posted a multi-platform patch along these lines a couple of weeks ago:
If you want me to rework it, let me know what needs changing (eg the
port forward restrictions).

Do we do away with do_pam_chauthtok too?  It does almost the same thing
as /bin/passwd.

> Then we just block non-interactive sessions with 'must change password'
> commentary  (Public keys?!?).

Good point. Can you justify forcing a password change if the password
isn't used in the login? Maybe just a warning?

Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list