[Bug 188] pam_chauthtok() is called too late

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu Mar 28 05:00:17 EST 2002


http://bugzilla.mindrot.org/show_bug.cgi?id=188





------- Additional Comments From Nicolas.Williams at ubsw.com  2002-03-28 05:00 -------
The patch I attached earlier fixes the pbug wfor keyboard-interactive userauth.

For password userauth I think OpenSSH should either support
SSH_MSG_USERAUTH_PASSWD_CHANGEREQ or not even try password aging over the TTY
session as it does now.

Implementing password aging over the tty session is a *security bug* if the
underlying password validation mechanism is Kerberos (e.g., via PAM_KRB5)
because Kerberos cannot authenticate a user whose password is expired, yet by
the time the TTY session is setup the server considers the user to be
authenticated and then client is free to open any channels it wants.

Cheers,

Nico



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.



More information about the openssh-unix-dev mailing list