Call for testing for 3.6: password expiry?

hayward at slothmud.org hayward at slothmud.org
Wed Mar 26 03:12:00 EST 2003 

This is how password changing works on solaris through "telnet" as well.  
This is frustrating to users but may not be something easily solved in an 
openssh password expiry solution.

--
Brian Hayward

>Here are my observations about the latest version of the patch (passexpire18).
>
>	Platform	: Solaris 8
>	Auth Type	: PAM
>	PAM Module	: Cusack pam_krb5 (v1.0)
>	Kerberos Ver	: MIT 1.2.6 
>
>- Without privsep 
>
>  o PASSWD_PROGRAM_PATH defined as "kpasswd":
>
>	- the PAM module doesn't appear to create the ccache 
>	  before kpasswd is called, and kpasswd requires a
>	  valid ccache to change passwords
>
>  o PASSWD_PROGRAM_PATH defined as "kinit":
>
>	- the program is called successfully, but requires the user
>	  to enter 
>		
>		Old PW
>		New PW
>		New PW
>
>	  even though the user already logged in with "Old PW"
>
>- With privsep
>
>  o default:
>
>	- sshd returns "Password changing is currently unsupported with
>	  privilege separation"
>
>  o with this commented out in do_pam_chauthtok(), thereby calling
>    pam_chauthtok()
>
>---------
>       if (password_change_required) {
>    #if 0
>            if (use_privsep)
>                  fatal("Password changing is currently unsupported"
>                        " with privilege separation");
>    #endif
>            pamstate = OTHER;
>            pam_retval = pam_chauthtok(__pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
>---------
>
>	- sshd successfully changes the password, although it exits 
>	  immediately afterward
>
>I can do more testing if anyone's interested.
>
>FYI.
>
>----------------------------------------------------------------------
>| Jim Hranicky, Senior SysAdmin                   UF/CISE Department |
>| E314D CSE Building                            Phone (352) 392-1499 |
>| jfh at cise.ufl.edu                      http://www.cise.ufl.edu/~jfh |
>----------------------------------------------------------------------
>
>"Given a choice between a complex, difficult-to-understand, disconcerting
> explanation and a simplistic, comforting one, many prefer simplistic
> comfort if it's remotely plausible, especially if it involves blaming
> someone else for their problems."
>                                                -- Bob Lewis, _Infoworld_
>
>	
>
>_______________________________________________
>openssh-unix-dev mailing list
>openssh-unix-dev at mindrot.org
>http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>

-- 
Brian Hayward

More information about the openssh-unix-dev mailing list