AIX and ADMCHG

Ben Lindstrom mouring at etoh.eviladmin.org
Wed Jul 24 13:57:07 EST 2002


On Tue, 23 Jul 2002 mandar at webchat.chatsystems.com wrote:

> Ben,
>
>    For AIX, does the server use getuserpw() to check the ADMCHG flag
> before deciding to send back a SSH_MSG_USERAUTH_PASSWD_CHANGEREQ or
> not? After the inital exchange, on AIX, it'll need to run a newpass() with
> perhaps a getuserattr() for a more complete explanation of the rules
> should the password be too weak, before sending the
> SSH_MSG_USERAUTH_PASSWD_CHANGEREQ again...until finally accepting the pass
> with a SSH_MSG_USERAUTH_SUCCESS.
>

Right now *NOTHING* is checked.  Not for bsd_auth, not for pam, not for
aix, or not for /etc/shadow. =)

>    Some of this may need to run in the PrivSep process. I'm assuming the
> PAM support code does something along the same lines...
>
>   Sorry, just some random thoughts - haven't actually looked at the
> source. But ADMCHG was on my list of things to fix since we did the
> failedlogincount in #145 (btw, Darren, thanks for following up and
> integrating it into the source ;), but never got around to it.
>
>   If we're missing this for AIX, I think we should welcome Kevin's patch
> ;)
>

I can also start looking at this once I get comfortable with the AIX box
that has been loaned to me.

However, I don't believe Kevin's patch uses ssh2 password change protocol
(not sure I have not seen in a few months).  What ever we do should use
that feature of the protocol since it allows us better security.

Which brings up a question on should we support password change for v1?
I'm inclined to say no.  At least handle v2 protocol first.

I have a question out to markus because I can see where the code belongs,
but I can't figure out how to actually trigger it correctly.

However, don't expect this to be in 3.5.. This is pretty much 3.6 materal.

- Ben




More information about the openssh-unix-dev mailing list