Password expiry patch plans
Frank Cusack
fcusack at fcusack.com
Mon Nov 11 20:52:24 EST 2002
On Sun, Nov 10, 2002 at 05:01:08PM +1100, Darren Tucker wrote:
> After following this thread and thinking about this for a while, this is
> the current plan for my experimental expiry patch[0]:
>
> 1) Add "int password_changereq" and "char *postauth_message" to struct
> Authctxt. [...]
>
> 2) Write a pam_change_password function that uses do_pam_conversation in
> INITIAL_LOGIN (ie "blind") mode and plug it into auth_change_password. [...]
>
> 3) Hack pam_chauthtok into keyboard-interactive for proto 2 to handle
> the tricky PAM cases the Right Way. [...]
>
> 4) Make the general case for proto 1 call /bin/passwd (including for
> PAM). [...]
>
> 5) Add something like the following to the unpriv child:
> if (PRIVSEP(is_password_change_required()))
> disable port forwarding
> disable agent
> etc
>
> 6) Make keyboard-interactive work with PAM & privsep. [...]
>
> Comments?
Well, I'm certainly a fan of (3). I couldn't care about (6). I can't
speak to the other ones. I'm confused about (5). Are you saying you
would re-enable those after the password change?
/fc
More information about the openssh-unix-dev
mailing list