Password expiry patch plans

Ben Lindstrom mouring at
Mon Nov 11 02:31:55 EST 2002

On Sun, 10 Nov 2002, Michael Steffens wrote:

> > 4) Make the general case for proto 1 call /bin/passwd (including for
> > PAM). Maybe look at the following later:
> Why /bin/passwd also for PAM?  What's wrong with the helper
> dedicated to "sshd" service? Would consider that at least a
> little bit cleaner.

Two reasons.

1. It is yet another setuid binary (well maybe not in OpenBSD's case), but
I'm not really not sure I want to even go near the topic with Theo/Markus.

2. Anytime you write such things you MUST ensure all your p's and q's are
right.  That there is *NO* way for someone to abuse it from user space.
Which brings me back to #1.

I agree it would be nice to this password change all through a helper
program.  It would allow local admins to implement the level of strictness
based on their needs (same with how we do entropy collection now), but
again it comes back to the ability to abuse a setuid binary.

I don't want to be the next person to introduce the next misfeature into
OpenSSH that allows the local machine to be comprised.  And skimming
through your example code does not make me want to rush out and implement

- Ben

More information about the openssh-unix-dev mailing list