Call for testing for 3.6: password expiry?

James F.Hranicky jfh at
Wed Mar 26 00:14:43 EST 2003

> Bugzilla Bug 14: Can't change expired /etc/shadow password without PAM
> Bugzilla Bug 463: PrintLastLog doesn't work in privsep mode
> There is some overlap between the two patches and they're out of sync
> with each other. Can I please get someone to review these and let me 
> know if they're suitable for inclusion in 3.6p1?  The expiry patches have 
> been pretty heavily tested (nearly 800 downloads of the patch).  I've had 
> about a dozen reports of problems, all of which have been resolved (mostly
> configuring with pam when it wasn't supported, a couple of genuine
> problems and a couple of cases of pilot error).

Here are my observations about the latest version of the patch (passexpire18).

	Platform	: Solaris 8
	Auth Type	: PAM
	PAM Module	: Cusack pam_krb5 (v1.0)
	Kerberos Ver	: MIT 1.2.6 

- Without privsep 

  o PASSWD_PROGRAM_PATH defined as "kpasswd":

	- the PAM module doesn't appear to create the ccache 
	  before kpasswd is called, and kpasswd requires a
	  valid ccache to change passwords

  o PASSWD_PROGRAM_PATH defined as "kinit":

	- the program is called successfully, but requires the user
	  to enter 
		Old PW
		New PW
		New PW

	  even though the user already logged in with "Old PW"

- With privsep

  o default:

	- sshd returns "Password changing is currently unsupported with
	  privilege separation"

  o with this commented out in do_pam_chauthtok(), thereby calling

       if (password_change_required) {
    #if 0
            if (use_privsep)
                  fatal("Password changing is currently unsupported"
                        " with privilege separation");
            pamstate = OTHER;
            pam_retval = pam_chauthtok(__pamh, PAM_CHANGE_EXPIRED_AUTHTOK);

	- sshd successfully changes the password, although it exits 
	  immediately afterward

I can do more testing if anyone's interested.


| Jim Hranicky, Senior SysAdmin                   UF/CISE Department |
| E314D CSE Building                            Phone (352) 392-1499 |
| jfh at             |

"Given a choice between a complex, difficult-to-understand, disconcerting
 explanation and a simplistic, comforting one, many prefer simplistic
 comfort if it's remotely plausible, especially if it involves blaming
 someone else for their problems."
                                                -- Bob Lewis, _Infoworld_


More information about the openssh-unix-dev mailing list