AIX and ADMCHG

mandar at webchat.chatsystems.com mandar at webchat.chatsystems.com
Wed Jul 24 13:38:59 EST 2002


Ben,

   For AIX, does the server use getuserpw() to check the ADMCHG flag
before deciding to send back a SSH_MSG_USERAUTH_PASSWD_CHANGEREQ or
not? After the inital exchange, on AIX, it'll need to run a newpass() with
perhaps a getuserattr() for a more complete explanation of the rules
should the password be too weak, before sending the
SSH_MSG_USERAUTH_PASSWD_CHANGEREQ again...until finally accepting the pass
with a SSH_MSG_USERAUTH_SUCCESS.

   Some of this may need to run in the PrivSep process. I'm assuming the
PAM support code does something along the same lines...

  Sorry, just some random thoughts - haven't actually looked at the
source. But ADMCHG was on my list of things to fix since we did the
failedlogincount in #145 (btw, Darren, thanks for following up and
integrating it into the source ;), but never got around to it.

  If we're missing this for AIX, I think we should welcome Kevin's patch
;)

- Mandar

On Tue, 23 Jul 2002, Ben Lindstrom wrote:

> Date: Tue, 23 Jul 2002 20:18:24 -0500 (CDT)
> From: Ben Lindstrom <mouring at etoh.eviladmin.org>
> To: cawlfiel <cawlfiel at austin.ibm.com>
> Cc: openssh-unix-dev at mindrot.org
> Subject: Re: AIX and ADMCHG
>
>
> Ok.. I did see it.=)  It is in the source.
>
> - Ben
>
> On Tue, 23 Jul 2002, Ben Lindstrom wrote:
>
> >
> >
> > For password change to be  handled correctly  one needs to implement
> > SSH_MSG_USERAUTH_PASSWD_CHANGEREQ and the corresponding
> > SSH_MSG_USERAUTH_REQUEST.
> >
> > I thought I saw a patch floating around for the general support but I
> > don't have it link to it off hand.
> >
> > http://search.ietf.org/internet-drafts/draft-ietf-secsh-userauth-15.txt
> >
> > - Ben
> >
> > On Tue, 23 Jul 2002, cawlfiel wrote:
> >
> > > In AIX, whenever a root user or a member of the security group changes a
> > > user's password, the ADMCHG attribute is set which means that the next
> > > time the user logs in, he will be forced to change his password.
> > > However, ssh is currently ignoring ADMCHG.
> > >
> > > I havn't seen any mention of this on the mailing list or Bugzilla, so
> > > I'm considering writing a patch to correct this problem.  Has anyone
> > > else looked at this?
> > >
> > > -----------------------
> > >
> > > Kevin Cawlfield
> > > AIX IP Security
> > > cawlfiel at austin.ibm.com
> > >
> > > -----------------------
> > > _______________________________________________
> > > openssh-unix-dev at mindrot.org mailing list
> > > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
> > >
> >
> > _______________________________________________
> > openssh-unix-dev at mindrot.org mailing list
> > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
> >
>
> _______________________________________________
> openssh-unix-dev at mindrot.org mailing list
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>





More information about the openssh-unix-dev mailing list