X11 forwarding when pw is aged

Darren Tucker dtucker at zip.com.au
Tue Jul 1 18:34:36 EST 2003


Andreas Gidom wrote:
> 1st Simple question: bug or feature ?

It's a Security Feature.  All forwarding is disabled when the password is
expired, otherwise you could request forwards with an expired password.

The problem with re-enabling it afterwards is that your password is
changed in the process that becomes the shell, but the forwarding flags
are checked in the ssh daemon (the slave if privsep is in use) and there's
no easy way to report a successful change.

At one point I tried using a signal to reset the flags but that wasn't
popular.

It might be possible to make it work by checking if the password is still
expired when a forwarding request arrives.  I'm not sure how hard that is
(it's likely to be difficult with PAM for example).

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.




More information about the openssh-unix-dev mailing list