SSH Bug 3.5p1 Expired Passwords
Frank Beckmann
Frank.Beckmann at vodafone.com
Thu Oct 17 06:36:21 EST 2002
Hello
thank you for your fast answer
The i have change auth-pam.c
Now SSH accept expiert User and in the follow login procedure the User can change the
password :-)
OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090605f
debug1: Reading configuration data /home/fbeckman/.ssh/config
debug1: Reading configuration data /etc/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: restore_uid
debug1: ssh_connect: getuid 34771 geteuid 0 anon 1
debug1: Connecting to webmann [139.7.180.69] port 22.
debug1: temporarily_use_uid: 34771/13000 (e=0)
debug1: restore_uid
debug1: temporarily_use_uid: 34771/13000 (e=0)
debug1: restore_uid
debug1: Connection established.
debug1: identity file /home/fbeckman/.ssh/identity type 0
debug1: identity file /home/fbeckman/.ssh/id_rsa type 1
debug1: identity file /home/fbeckman/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.5p1
debug1: match: OpenSSH_3.5p1 pat OpenSSH*
debug1: Local version string SSH-1.5-OpenSSH_3.1p1
debug1: Waiting for server public key.
debug1: Received server public key (768 bits) and host key (1024 bits).
debug1: Host 'webmann' is known and matches the RSA1 host key.
debug1: Found key in /home/fbeckman/.ssh/known_hosts:8
debug1: Encryption type: blowfish
debug1: Sent encrypted session key.
debug1: Installing crc compensation attack detector.
debug1: Received encrypted confirmation.
debug1: Trying RSA authentication with key '/home/fbeckman/.ssh/identity'
debug1: Received RSA challenge from server.
debug1: Sending response to host key RSA challenge.
debug1: Remote: RSA authentication accepted.
debug1: RSA authentication accepted by server.
debug1: Requesting pty.
debug1: fd 4 setting TCP_NODELAY
debug1: Requesting shell.
debug1: Entering interactive session.
Warning: Your password has expired, please change it now.
Enter login password:
New password:
Re-enter new password:
sshd (SYSTEM): passwd successfully changed for fbeckman
-----------------------------------------------------------------------
An other Thing ....
we are chane the source of the session.c, because ssh are identified by PAM(Solaris) as
telnet.
Org
session.c
-----snip------
/* Launch login(1). */
execl(LOGIN_PROGRAM, "login", "-h", hostname,
#ifdef xxxLOGIN_NEEDS_TERM
(s->term ? s->term : "unknown"),
#endif /* LOGIN_NEEDS_TERM */
#ifdef LOGIN_NO_ENDOPT
"-p", "-f", pw->pw_name, (char *)NULL);
#else
"-p", "-f", "--", pw->pw_name, (char *)NULL);
#endif
/* Login couldn't be executed, die. */
perror("login");
exit(1);
}
-------snip------
New
session.c
----snip ---
/* Launch login(1). */
execl(LOGIN_PROGRAM, "login",
#ifdef LOGIN_NO_ENDOPT
"-p", "-f", pw->pw_name, (char *)NULL);
#else
"-p", "-f", "--", pw->pw_name, (char *)NULL);
#endif
/* Login couldn't be executed, die. */
perror("login");
exit(1);
}
-----snip-----
Now ssh is identified correct in our PAM Applikation (shared lib)
Greetings
Frank
Darren Tucker wrote:
> Frank Beckmann wrote:
>
>>in the new Openssh 3.5p1 is the sam Bug as in the 3.4p1 :-(
>>When a User try to login with a expired Passwort, SSH denys the Acces to the System
>
>
> In pam-auth.c, change
>
> #if 0
> case PAM_NEW_AUTHTOK_REQD:
>
> to
>
> #if 1
> case PAM_NEW_AUTHTOK_REQD:
>
> and set "UsePrivilegeSeparation no" in sshd_config.
>
> People have reported mixed success, so your milage may vary.
>
> Let the list know how it goes; one of the reasons this isn't enabled in
> 3.5p1 is lack of testing.
>
--
Frank Beckmann
Abt. TOIU
Tel: 0211 533-5758
Fax: 0211 533-1451
Mail Frank.Beckmann at vodafone.com
More information about the openssh-unix-dev
mailing list