AIX and ADMCHG
Ben Lindstrom
mouring at etoh.eviladmin.org
Wed Jul 24 13:57:07 EST 2002
On Tue, 23 Jul 2002 mandar at webchat.chatsystems.com wrote:
> Ben,
>
> For AIX, does the server use getuserpw() to check the ADMCHG flag
> before deciding to send back a SSH_MSG_USERAUTH_PASSWD_CHANGEREQ or
> not? After the inital exchange, on AIX, it'll need to run a newpass() with
> perhaps a getuserattr() for a more complete explanation of the rules
> should the password be too weak, before sending the
> SSH_MSG_USERAUTH_PASSWD_CHANGEREQ again...until finally accepting the pass
> with a SSH_MSG_USERAUTH_SUCCESS.
>
Right now *NOTHING* is checked. Not for bsd_auth, not for pam, not for
aix, or not for /etc/shadow. =)
> Some of this may need to run in the PrivSep process. I'm assuming the
> PAM support code does something along the same lines...
>
> Sorry, just some random thoughts - haven't actually looked at the
> source. But ADMCHG was on my list of things to fix since we did the
> failedlogincount in #145 (btw, Darren, thanks for following up and
> integrating it into the source ;), but never got around to it.
>
> If we're missing this for AIX, I think we should welcome Kevin's patch
> ;)
>
I can also start looking at this once I get comfortable with the AIX box
that has been loaned to me.
However, I don't believe Kevin's patch uses ssh2 password change protocol
(not sure I have not seen in a few months). What ever we do should use
that feature of the protocol since it allows us better security.
Which brings up a question on should we support password change for v1?
I'm inclined to say no. At least handle v2 protocol first.
I have a question out to markus because I can see where the code belongs,
but I can't figure out how to actually trigger it correctly.
However, don't expect this to be in 3.5.. This is pretty much 3.6 materal.
- Ben
More information about the openssh-unix-dev
mailing list