[PATCH] Password expiry with Privsep and PAM

[Kevin Steves]

On Tue, Dec 10, 2002 at 09:19:01PM +0100, Peter Stuge wrote:
> On Wed, Dec 11, 2002 at 06:50:36AM +1100, Darren Tucker wrote:
> > As Ben said, using /bin/passwd in v2's (pre-session) PASSWD_CHANGEREQ
> > requires writing expect-like functionality that would be very hard to
> > get right across all platforms.
> 
> Would it really?  Remember that this project has a lot of good people coming
> from different platforms.  Also keep in mind that the PASSWD_CHANGEREQ
> protocol is the single smallest denominator, severly limiting what needs to
> be supported.  I'm thinking all that can be expected is for sshd to handle
> cases where passwd wants either the old or the new password, sshd doesn't
> have any other information at that time and no real way to get any either,
> unless the protocol is extended, right?

i think it would be ugly.

> Two scenarios become possible:
> 
> 1. openssh implements all neccessary local password changing stuff - PITA
> overhead but when done a lot lower "instance" overhead, the PASSWD_CHANGEREQ
> becomes more lightweight.  However, openssh might have to deal with vendor
> quux's broken system yet another time.

this is what tatu ssh did and ssh.com does.  PASSWD_CHANGEREQ fits
nicely with this.

but it's ugly and a maintenance nightmare too.

> 2. openssh uses passwd because of law of least resistance, this is the
> simplest path to go.  When vendor xyzzy ends up having a passwd that
> requires more capabilities than sshd has while in PASSWD_CHANGEREQ they can
> either fix their passwd or try to convince us that we should switch to (1).
> 
> Set up an easy scheme to add support for platforms with (2) and I think it'd
> happen pretty quickly.

i don't see it as easy, but if it can be done simply it would be nice.
i do really like the idea of using passwd.

i also like PAM support, and i think darren is close on that.