[Bug 473] New: cannot update password using PAM on HP-UX system that has been tsconverted

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sat Jan 25 08:44:31 EST 2003 

http://bugzilla.mindrot.org/show_bug.cgi?id=473

           Summary: cannot update password using PAM on HP-UX system that
                    has been tsconverted
           Product: Portable OpenSSH
           Version: older versions
          Platform: All
        OS/Version: HP-UX
            Status: NEW
          Severity: normal
          Priority: P2
         Component: sshd
        AssignedTo: openssh-unix-dev at mindrot.org
        ReportedBy: rusr at cup.hp.com


With OpenSSH3.1p1 using PAM, there is a problem logging in if the password is
expired and the server system has been converted to use commercial security mode
with the /etc/tsconvert command.

Problem description:
If a user has an expired password, they can not login using ssh.

When they attempt to login, the system detects the expired password and forces
the user to change it before they can complete the login. However, if you have
converted to comsec, HP's pam_unix checks the UID (must be the uid of the user
logging in) and the EUID (must be 0, aka root) before allowing the password
update to proceed. However, sshd always has UID == EUID == 0, so the password
change fails and the user is logged out, effectively locking the user out of the
 system (unless they use some other method of logging in, such as rlogin or telnet).

A possible fix for this involves passing the user's password entry from
session.c to do_pam_chauthtok(). do_pam_chauthtok() then changes the RUID to the
user's uid, call pam_chauthtok(), and changes it back after the call.

I am including some diffs of the fix as I made it - the official version may
wish to have it enclosed in #ifdef's.

diff auth-pam.h /extra/openssh-3.1p1/auth-pam.h | more
1c1
< /* $Id: auth-pam.h,v 1.3 2002/05/14 16:35:43 cvsuser Exp $ */
---
> /* $Id: auth-pam.h,v 1.11 2001/03/27 06:12:24 djm Exp $ */
18c18
< void do_pam_chauthtok(struct passwd *pw);
---
> void do_pam_chauthtok(void);

diff auth-pam.c /extra/openssh-3.1p1/auth-pam.c | more
38c38
< RCSID("$Id: auth-pam.c,v 1.3 2002/05/14 16:35:43 cvsuser Exp $");
---
> RCSID("$Id: auth-pam.c,v 1.42 2002/02/05 01:40:47 djm Exp $");
146d145
<
326c325
< void do_pam_chauthtok(struct passwd *pw)
---
> void do_pam_chauthtok(void)
329,331d327
<       uid_t current_uid;
<       uid_t current_euid;
<       int uid_set = 0;
337,340d332
<               if ((geteuid() == 0) && (current_uid = getuid()) == 0) {
<                       setreuid(pw->pw_uid, -1);
<                       uid_set = 1;
<               }
342,344d333
<               if (uid_set == 1) {
<                       setuid(0);
<               }

diff session.c /extra/openssh-3.1p1/session.c | more
718c718
<               do_pam_chauthtok(pw);
---
>               do_pam_chauthtok();



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the openssh-unix-dev mailing list