[PATCH] Password expiry with Privsep and PAM

Peter Stuge stuge-openssh-unix-dev at cdy.org
Wed Dec 11 07:19:01 EST 2002


On Wed, Dec 11, 2002 at 06:50:36AM +1100, Darren Tucker wrote:
> As Ben said, using /bin/passwd in v2's (pre-session) PASSWD_CHANGEREQ
> requires writing expect-like functionality that would be very hard to
> get right across all platforms.

Would it really?  Remember that this project has a lot of good people coming
from different platforms.  Also keep in mind that the PASSWD_CHANGEREQ
protocol is the single smallest denominator, severly limiting what needs to
be supported.  I'm thinking all that can be expected is for sshd to handle
cases where passwd wants either the old or the new password, sshd doesn't
have any other information at that time and no real way to get any either,
unless the protocol is extended, right?

Two scenarios become possible:

1. openssh implements all neccessary local password changing stuff - PITA
overhead but when done a lot lower "instance" overhead, the PASSWD_CHANGEREQ
becomes more lightweight.  However, openssh might have to deal with vendor
quux's broken system yet another time.

2. openssh uses passwd because of law of least resistance, this is the
simplest path to go.  When vendor xyzzy ends up having a passwd that
requires more capabilities than sshd has while in PASSWD_CHANGEREQ they can
either fix their passwd or try to convince us that we should switch to (1).

Set up an easy scheme to add support for platforms with (2) and I think it'd
happen pretty quickly.


//Peter



More information about the openssh-unix-dev mailing list