SSH Bug 3.5p1 Expired Passwords

Darren Tucker dtucker at zip.com.au
Thu Feb 20 20:43:45 EST 2003


Frank Beckmann wrote:
> is this Problem Fix in a new Snapshot Version of Openssh ?
> The Fix has only run under Protokoll 1 not under Protokoll 2 :-(
[snip]
> > #if 1
> >                 case PAM_NEW_AUTHTOK_REQD:

No, to my knowledge there is no fix for this problem is in the current
tree.  You have a couple of new options, though.

1) Using PAM.

This patch:
http://bugzilla.mindrot.org/attachment.cgi?id=198&action=view
(attached to this bug: http://bugzilla.mindrot.org/show_bug.cgi?id=423)
will (should) allow PAM NEW_AUTHTOK_REQD to work with and without
privsep.

Althought it seems to work, this will probably never make it into the
main tree because a) it makes a privsep call from the shell child
process and b) Damien has been threatening to replace the existing PAM
module.

2) Without PAM

This patch
http://www.zip.com.au/~dtucker/openssh/openssh-3.5p1-passexpire16.patch
(more info: http://www.zip.com.au/~dtucker/openssh/ and
http://bugzilla.mindrot.org/show_bug.cgi?id=14) will enable password
expiration without PAM on AIX, Solaris and a few others.

I'm hoping that this or something like it will make it to the main tree
but there seems to be a lack of interest at the moment.  

The various patches have been downloaded from my page just under a
thousand times.  I've been able to resolve the half-dozen or so problems
people have emailed me with, so it's probably working for some people
(and, I note, IBM are now shipping AIX packages that do password expiry;
I don't know if they're based on these).

So how about, people?  What needs to be done to it?

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.




More information about the openssh-unix-dev mailing list