AIX and ADMCHG

Ben Lindstrom mouring at etoh.eviladmin.org
Tue Jul 30 08:05:01 EST 2002


On Thu, 25 Jul 2002, Kevin Steves wrote:

> On Tue, Jul 23, 2002 at 10:57:07PM -0500, Ben Lindstrom wrote:
> > >    For AIX, does the server use getuserpw() to check the ADMCHG flag
> > > before deciding to send back a SSH_MSG_USERAUTH_PASSWD_CHANGEREQ or
> > > not? After the inital exchange, on AIX, it'll need to run a newpass() with
> > > perhaps a getuserattr() for a more complete explanation of the rules
> > > should the password be too weak, before sending the
> > > SSH_MSG_USERAUTH_PASSWD_CHANGEREQ again...until finally accepting the pass
> > > with a SSH_MSG_USERAUTH_SUCCESS.
> >
> > Right now *NOTHING* is checked.  Not for bsd_auth, not for pam, not for
> > aix, or not for /etc/shadow. =)
>
> This is referring to password strength checking?
>

No password expiring.  I don't think it is OpenSSH's job to whine at the
user for bad passwords.  It should be PAM, BSD_AUTH, etc job.


> > >    Some of this may need to run in the PrivSep process. I'm assuming the
> > > PAM support code does something along the same lines...
> > >
> > >   Sorry, just some random thoughts - haven't actually looked at the
> > > source. But ADMCHG was on my list of things to fix since we did the
> > > failedlogincount in #145 (btw, Darren, thanks for following up and
> > > integrating it into the source ;), but never got around to it.
> > >
> > >   If we're missing this for AIX, I think we should welcome Kevin's patch
> > > ;)
> >
> > I can also start looking at this once I get comfortable with the AIX box
> > that has been loaned to me.
> >
> > However, I don't believe Kevin's patch uses ssh2 password change protocol
> > (not sure I have not seen in a few months).  What ever we do should use
> > that feature of the protocol since it allows us better security.
>
> I'm not sure if this refers to me, but which patch is this?
>

You had a patch (or I swore it was you =)  that either allowed v1 or v2
password change for shadowed password files.  Or at least a start of a
patch.


> > Which brings up a question on should we support password change for v1?
> > I'm inclined to say no.  At least handle v2 protocol first.
>
> We should support Protocol 1 for password change.  PAM users should
> look at current auth-pam.c which has solar's efforts in this area.
> I think we can re-enable password change for PAM now, but there are
> some other things I need to check.
>

Still we need to look at Protocol 2.  And I'm totally and utterly confused
as to where password change code should even go.

- Ben




More information about the openssh-unix-dev mailing list