Password expiry patch plans

Darren Tucker dtucker at
Sun Nov 10 17:01:08 EST 2002

[was Re: [Bug 423] Workaround for pw change in privsep mode (3.5.p1)]

Frank Cusack wrote:
> The PAM framework demands the type of exchange that
> only keyboard-interactive offers.  The way the "password" authentication
> method interacts with PAM is a kludge.

After following this thread and thinking about this for a while, this is
the current plan for my experimental expiry patch[0]:

1) Add "int password_changereq" and "char *postauth_message" to struct
Authctxt. This will allow elimination of a bunch of global variables (eg
password_change_required, loginmsg) and some #defines, and allow the
merge of some of the AIX & PAM specific code (eg in session.c). It will
require the parameters of getpwnamallow and friends to be changed to
authctxt and another monitor wrapper for is_password_change_required and
maybe get_login_messages. Would anyone object to that?

2) Write a pam_change_password function that uses do_pam_conversation in
INITIAL_LOGIN (ie "blind") mode and plug it into auth_change_password.
This should cover the majority of simple cases (ie basically the same
cases that the existing auth_pam_password function covers for "password"
authentication) and work with privsep.

3) Hack pam_chauthtok into keyboard-interactive for proto 2 to handle
the tricky PAM cases the Right Way. It won't work with privsep (see 6)
but apparently it doesn't now anyway. People requiring deep PAM magic
can use that ("PAMAuthenticationViaKbdInt yes").

4) Make the general case for proto 1 call /bin/passwd (including for
PAM). Maybe look at the following later:
> Not so fast there. :-)  Look in the bugs db for a TISviaPAM patch.  This
> uses the ssh1 TIS auth method to do the same thing that kbdint does.

5) Add something like the following to the unpriv child:
if (PRIVSEP(is_password_change_required())) 
	disable port forwarding
	disable agent 

6) Make keyboard-interactive work with PAM & privsep. This one is a bit
hazy but might involve a privsep-specific pam conversation function and
some explicit to-and-fro between priv and unpriv (ie not just via the
wrapper). Not sure.


[0] See
Darren Tucker (dtucker at
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list