AIX and ADMCHG

[Kevin Steves]

On Tue, Jul 23, 2002 at 10:57:07PM -0500, Ben Lindstrom wrote:
> >    For AIX, does the server use getuserpw() to check the ADMCHG flag
> > before deciding to send back a SSH_MSG_USERAUTH_PASSWD_CHANGEREQ or
> > not? After the inital exchange, on AIX, it'll need to run a newpass() with
> > perhaps a getuserattr() for a more complete explanation of the rules
> > should the password be too weak, before sending the
> > SSH_MSG_USERAUTH_PASSWD_CHANGEREQ again...until finally accepting the pass
> > with a SSH_MSG_USERAUTH_SUCCESS.
> 
> Right now *NOTHING* is checked.  Not for bsd_auth, not for pam, not for
> aix, or not for /etc/shadow. =)

This is referring to password strength checking?

> >    Some of this may need to run in the PrivSep process. I'm assuming the
> > PAM support code does something along the same lines...
> >
> >   Sorry, just some random thoughts - haven't actually looked at the
> > source. But ADMCHG was on my list of things to fix since we did the
> > failedlogincount in #145 (btw, Darren, thanks for following up and
> > integrating it into the source ;), but never got around to it.
> >
> >   If we're missing this for AIX, I think we should welcome Kevin's patch
> > ;)
> 
> I can also start looking at this once I get comfortable with the AIX box
> that has been loaned to me.
> 
> However, I don't believe Kevin's patch uses ssh2 password change protocol
> (not sure I have not seen in a few months).  What ever we do should use
> that feature of the protocol since it allows us better security.

I'm not sure if this refers to me, but which patch is this?

> Which brings up a question on should we support password change for v1?
> I'm inclined to say no.  At least handle v2 protocol first.

We should support Protocol 1 for password change.  PAM users should
look at current auth-pam.c which has solar's efforts in this area.
I think we can re-enable password change for PAM now, but there are
some other things I need to check.