openssh-3.6.1p2-passexpire20.patch prevents /etc/nologin display on AIX

[Darren Tucker]

"Elwell, AD (Andrew)" wrote:
> I have just compiled up 3.6.1p2 both with and without Darren Tuckers
> passexpire patch.
> 
> However, with the patch applied /etc/nologin isn't displayed to users (on
> AIX 5.1 / PSSP)
> 
> The patched vesion seems to fail with "illegal user" - some parts of a debug
> 3 log...
> 
> debug1: userauth-request for user ade45 service ssh-connection method none
> debug1: attempt 0 failures 0
> debug3: mm_getpwnamallow entering
> debug3: mm_request_send entering: type 6
> debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAMdebug3: monitor_read:
> checking request 6
> debug3: mm_request_receive_expect entering: type 7debug3:
> mm_answer_pwnamallowdebug3: mm_request_receive entering
> Login restricted for ade45:  this is a test
> debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 0
[snip]

I would have expected to see some more debugging here, something like:
debug3: lastupdate [foo] maxage [foo] wks maxexpired
debug3: AIX/passwdexpired returned [whatever]

Was that there and if so what does it say?

Looking at the code here, I can't see a reason for this.  Did the patch
apply cleanly?

> A more pressing need is for us to be able to cope with changing the users
> password on another box. (we use PSSP on a large cluster) hmm, some hacking
> of /bin/passwd might be called for...

You can change PATH_PROGRAM_PATH in config.h to point to any program you
like.  Be aware that it'll get called as "/path/to/program" (as the user)
if PrivSep is on and "/path/to/program [username]" (as root!) if PrivSep
is off.

If it's a common requirement it might be worth adding a
--with-passwd-program=/bin/foo option to configure.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.