Call for testing for 3.6: password expiry?

Ben Lindstrom mouring at etoh.eviladmin.org
Wed Mar 26 04:28:12 EST 2003 

Personally, it is not frustrating as much as very poor wording.  Once I
explain it to my solaris users they understood it.  However the term
'Login Password' throws them for a loop.  <sigh>

- Ben

On Tue, 25 Mar 2003 hayward at slothmud.org wrote:

> This is how password changing works on solaris through "telnet" as well.
> This is frustrating to users but may not be something easily solved in an
> openssh password expiry solution.
>
> --
> Brian Hayward
>
> >Here are my observations about the latest version of the patch (passexpire18).
> >
> >	Platform	: Solaris 8
> >	Auth Type	: PAM
> >	PAM Module	: Cusack pam_krb5 (v1.0)
> >	Kerberos Ver	: MIT 1.2.6
> >
> >- Without privsep
> >
> >  o PASSWD_PROGRAM_PATH defined as "kpasswd":
> >
> >	- the PAM module doesn't appear to create the ccache
> >	  before kpasswd is called, and kpasswd requires a
> >	  valid ccache to change passwords
> >
> >  o PASSWD_PROGRAM_PATH defined as "kinit":
> >
> >	- the program is called successfully, but requires the user
> >	  to enter
> >
> >		Old PW
> >		New PW
> >		New PW
> >
> >	  even though the user already logged in with "Old PW"
> >
> >- With privsep
> >
> >  o default:
> >
> >	- sshd returns "Password changing is currently unsupported with
> >	  privilege separation"
> >
> >  o with this commented out in do_pam_chauthtok(), thereby calling
> >    pam_chauthtok()
> >
> >---------
> >       if (password_change_required) {
> >    #if 0
> >            if (use_privsep)
> >                  fatal("Password changing is currently unsupported"
> >                        " with privilege separation");
> >    #endif
> >            pamstate = OTHER;
> >            pam_retval = pam_chauthtok(__pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
> >---------
> >
> >	- sshd successfully changes the password, although it exits
> >	  immediately afterward
> >
> >I can do more testing if anyone's interested.
> >
> >FYI.
> >
> >----------------------------------------------------------------------
> >| Jim Hranicky, Senior SysAdmin                   UF/CISE Department |
> >| E314D CSE Building                            Phone (352) 392-1499 |
> >| jfh at cise.ufl.edu                      http://www.cise.ufl.edu/~jfh |
> >----------------------------------------------------------------------
> >
> >"Given a choice between a complex, difficult-to-understand, disconcerting
> > explanation and a simplistic, comforting one, many prefer simplistic
> > comfort if it's remotely plausible, especially if it involves blaming
> > someone else for their problems."
> >                                                -- Bob Lewis, _Infoworld_
> >
> >
> >
> >_______________________________________________
> >openssh-unix-dev mailing list
> >openssh-unix-dev at mindrot.org
> >http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
> >
>
> --
> Brian Hayward
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>

More information about the openssh-unix-dev mailing list