Password expiry patch plans

Darren Tucker dtucker at zip.com.au
Mon Nov 11 23:22:52 EST 2002


Corinna Vinschen wrote:
> Since Windows based systems also have the expiry problem, it would
> be helpful to have a generalized way to solve that regardless of the
> protocol in use and especially independant of AIX or PAM specific
> stuff.  Calling /bin/passwd seems a very good way, IMHO.

The issue with that is for protocol 2 execing /bin/passwd can't be done
on many platforms until you have a tty, but according to the RFC you
"MUST NOT allow an expired password to be used for authentication" and
you don't normally get a tty until after you're authenticated. Goto 1.

> Unfortunately, the current cygwin_logon_user() call used in auth-passwd.c
> doesn't return whether the authentication failed due to a expired
> password or any other problem.  But that's easily solved by changing
> Cygwin...

Must be nice to have the option of changing your platform to suit :-)

Someone mentioned to me in private email that some third-party products
(the example was CA's eTrust) replace /bin/passwd with their own binary,
and suggested a "UsePasswd yes|no" option for those cases.

How about using /bin/passwd as a last resort? ie if the change flag
isn't cleared by the time the session starts, then do it. If it gets
handled earlier, clear the flag.

You could put that in first, then if/when any of the other options go in
they have auth_password return a "change password now" value and clear
the change flag if the password is changed successfully.

Another question: what's OpenBSD going to do about password expiry via
ssh?

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.



More information about the openssh-unix-dev mailing list