SSH / PAM / Kerberos / password aging

Frank Cusack fcusack at fcusack.com
Wed Mar 27 09:13:26 EST 2002


On Tue, Mar 26, 2002 at 04:34:18PM -0500, Nicolas Williams wrote:
> Ok, so, things are complicated.
> 
> The PAM standard insists on password aging being done after account
> authorization, which comes after user authentication. Kerberos can't
> authenticate users whose passwords are expired.
> 
> So PAM_KRB5 implementations tend to return PAM_SUCCESS from
> pam_krb5:pam_sm_authenticate() and arrange for pam_krb5:pam_sm_acct_mgmt()
> to return PAM_NEW_AUTHTOK_REQD, as required by PAM even though the user
> can't be said to be authenticated at that point.
> 
> The problem with this is that by the time pam_acct_mgmt() is called in
> OpenSSH userauth has been completed, so kbd-interactive is not used for
> the password changing and instead the work is relegated till the TTY
> session is setup. By then the login process has begun and the user even
> has a UTMP entry.
> 
> To make matters worse, OpenSSH calls pam_setcred() before
> pam_chauthtok(). Clearly that is wrong.
> 
> Our PAM_KRB5 module has a module option "pw_exp_in_auth" which causes it
> to do the password aging prompting in pam_krb5:pam_sm_authenticate().
> Using this option with the "sshd" PAM service causes password aging to
> be performed over the kbd-interactive protocol. Good? Bad? I say "good."

Qualified good.  Wouldn't it be better to do pam_acct_mgmt() before kbdint
et al complete?  Your solution requires a rewrite of all PAM modules.

/fc



More information about the openssh-unix-dev mailing list