Call for testing for 3.6: password expiry?

Ben Lindstrom mouring at etoh.eviladmin.org
Sat Mar 22 04:36:14 EST 2003 

On Fri, 21 Mar 2003, Jeff Koenig wrote:

> Why are password expiring and BSM support not in the code by now?
> People have been talking about these since before 3.5p1?  At least,
> can't they be added and just not on by default?  Like having a
> --password_expire and --bsm_support or something?
>

First off BSM is for a single platform and requires us to UNDERSTAND what
it is doing.  And no one on the OpenSSH portable team has made it a
priority to understand the code.

> I don't understand why password expiry and BSM auditing support are not
> a higher priority.  I would think a lot of companies are required to use
> these features.  Is the patch code just not tested enough or something?
>

Why password expiry?  Have you looked at the RFC?  If we implement v2
password expiry the way the RFC requires we will break a lot of platform
and the code would be massive.  Darren and I have already gone through
this.  Therefor there has to be a lot of discussion about this.  (Which a
lot has already happen on and off list.)   If you've been paying attention
you'd realize that this is not as easy as slapping 10 lines of code in
place and saying "finished".

It sounds like 3.7 that password expiring will become a priority.  I think
that a lot of the issue in regards to when/where to break the RFC for
sanity have been concluded.

> I'm just a little frustrated.
>

And it does not frustrate me to hear people complain and whine about this
on multiple lists? =)  Things take time.

I'm sure if there was funding for a full time position that it would be
easier to handle such things.  I know my time will be extremely limited
until Jan 2004 with paid projects.

- Ben

> Anyway, thanks for all the work you guys have done so far, by the way.
>
> Jeff
>
> >>> Ben Lindstrom <mouring at etoh.eviladmin.org> 03/19/03 09:46PM >>>
>
> That's nice.. problem is when we normally call for testing.. It means NO
> NEW FEATURES.  As in *RELEASE SOON*...
>
> Sorry folks.. These won't be in 3.6.
>
> - Ben
>
> On Wed, 19 Mar 2003 hayward at slothmud.org wrote:
>
> >
> > I would like to see the expiry patch in as well.  We use OpenSSH across a
> > large corporation, with thousands of servers (Solaris, AIX, HP, etc) Our
> > policies require password expiry... What's the point of SSH if you have
> > to use telnet to change your password after it expires...? :-)
> >
> > Thanks for the consideration,
> > Brian Hayward
> >
> >
> > >I have tried this patch (against 3.5p1) and would very much like it to be in the OpenSSH 3.6p1 release, if possible:
> > >http://bugzilla.mindrot.org/show_bug.cgi?id=14
> > >
> > >On that note, I'd like the Sun BSM patch to be included also, if possible.  I have it working applied to 3.5p1:
> > >http://bugzilla.mindrot.org/show_bug.cgi?id=125
> > >
> > >In fact, both patches work together, apparently.
> > >
> > >If I have any issues, I'll post them here.
> > >
> > >Jeff Koenig
> > >
> > >>>> Darren Tucker <dtucker at zip.com.au> 03/07/03 12:55AM >>>
> > >Hi again.
> > >
> > >Ben Lindstrom wrote:
> > >> So if you have any patches you need to ensure your platform works speak
> > >> up.  We are looking at a lock on the 17th.
> > >
> > >There's a couple of patches in Bugzilla that relate to my pet project:
> > >
> > >Bugzilla Bug 14: Can't change expired /etc/shadow password without PAM
> > >http://bugzilla.mindrot.org/attachment.cgi?id=240&action=view
> > >
> > >Bugzilla Bug 463: PrintLastLog doesn't work in privsep mode
> > >http://bugzilla.mindrot.org/attachment.cgi?id=235&action=view
> > >
> > >There is some overlap between the two patches and they're out of sync
> > >with each other.
> > >
> > >Can I please get someone to review these and let me know if they're
> > >suitable for inclusion in 3.6p1?  The expiry patches have been pretty
> > >heavily tested (nearly 800 downloads of the patch).  I've had about a
> > >dozen reports of problems, all of which have been resolved (mostly
> > >configuring with pam when it wasn't supported, a couple of genuine
> > >problems and a couple of cases of pilot error).
> > >
> > >If they are likely to go in, please let me know what you'd like done
> > >with them (eg, merge them into a single patch or make 2 "stacked"
> > >patches to be applied sequentially, and particularly what if anything
> > >should be done with the interaction with do_pam_chauthtok).
> > >
> > >
> >
> > --
> > Brian Hayward
> >
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>

More information about the openssh-unix-dev mailing list