Call for testing for 3.6: password expiry?

James F.Hranicky jfh at cise.ufl.edu
Wed Mar 26 00:14:43 EST 2003 

> Bugzilla Bug 14: Can't change expired /etc/shadow password without PAM
> http://bugzilla.mindrot.org/attachment.cgi?id=240&action=view 
> 
> Bugzilla Bug 463: PrintLastLog doesn't work in privsep mode
> http://bugzilla.mindrot.org/attachment.cgi?id=235&action=view 
> 
> There is some overlap between the two patches and they're out of sync
> with each other. Can I please get someone to review these and let me 
> know if they're suitable for inclusion in 3.6p1?  The expiry patches have 
> been pretty heavily tested (nearly 800 downloads of the patch).  I've had 
> about a dozen reports of problems, all of which have been resolved (mostly
> configuring with pam when it wasn't supported, a couple of genuine
> problems and a couple of cases of pilot error).

Here are my observations about the latest version of the patch (passexpire18).

	Platform	: Solaris 8
	Auth Type	: PAM
	PAM Module	: Cusack pam_krb5 (v1.0)
	Kerberos Ver	: MIT 1.2.6 

- Without privsep 

  o PASSWD_PROGRAM_PATH defined as "kpasswd":

	- the PAM module doesn't appear to create the ccache 
	  before kpasswd is called, and kpasswd requires a
	  valid ccache to change passwords

  o PASSWD_PROGRAM_PATH defined as "kinit":

	- the program is called successfully, but requires the user
	  to enter 
		
		Old PW
		New PW
		New PW

	  even though the user already logged in with "Old PW"

- With privsep

  o default:

	- sshd returns "Password changing is currently unsupported with
	  privilege separation"

  o with this commented out in do_pam_chauthtok(), thereby calling
    pam_chauthtok()

---------
       if (password_change_required) {
    #if 0
            if (use_privsep)
                  fatal("Password changing is currently unsupported"
                        " with privilege separation");
    #endif
            pamstate = OTHER;
            pam_retval = pam_chauthtok(__pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
---------

	- sshd successfully changes the password, although it exits 
	  immediately afterward

I can do more testing if anyone's interested.

FYI.

----------------------------------------------------------------------
| Jim Hranicky, Senior SysAdmin                   UF/CISE Department |
| E314D CSE Building                            Phone (352) 392-1499 |
| jfh at cise.ufl.edu                      http://www.cise.ufl.edu/~jfh |
----------------------------------------------------------------------

"Given a choice between a complex, difficult-to-understand, disconcerting
 explanation and a simplistic, comforting one, many prefer simplistic
 comfort if it's remotely plausible, especially if it involves blaming
 someone else for their problems."
                                                -- Bob Lewis, _Infoworld_

More information about the openssh-unix-dev mailing list