[Ans.]openssh3.5p1 version ... Password aging problem???

Peter Stuge stuge-openssh-unix-dev at cdy.org
Mon May 12 23:50:49 EST 2003 

On Mon, May 12, 2003 at 05:08:18PM +1000, Darren Tucker wrote:
> This is a known issue with the current code.  Depending on whether or not
> you're using PAM, the bugs (with potential solutions) are:

What is the status on interfacing with the system passwd command for
changing passwords? It's only for non-PAM situations, but is it still
relevant there? I have tried one way of setting up the "chat scripts" but
that failed, I've implemented the skeleton for a second try but have been
too busy with other things to finish it for wider testing.

Should I try to finish the prototype ASAP?

These are the current data structures:

struct SYSNAMES systems[]={
  /* name,		tag,		current script position */
  {"MacOS X 10.2",	OSX_10_2,	-1},
  {"Linux-PAM",		LINUXPAM,	-1},
  {NULL,0,0}
};

struct SCRIPT script[]={
  /* system,	fd,	action,	text,	usec delay (default:1.5e6) */
  {OSX_10_2,	STDERR,	EXPECT,	"password:",0},
  {OSX_10_2,	STDIN,	SENDOLD,"\n",	0},
  {OSX_10_2,	STDERR,	EXPECT,	"New password:",0},
  {OSX_10_2,	STDIN,	SENDNEW,"\n",	0},
  {OSX_10_2,	STDERR,	EXPECT,	"Retype new password:",0},
  {OSX_10_2,	STDIN,	SENDNEW,"\n",	0},
  {OSX_10_2,	STDIN,	DONE,	NULL,	0},

  {LINUXPAM,	STDERR,	EXPECT,	"password:",0},
  {LINUXPAM,	STDIN,	SENDOLD,"\n",	0},
  {LINUXPAM,	STDERR,	EXPECT,	"New UNIX password: ",0},
  {LINUXPAM,	STDIN,	SENDNEW,"\n",	0},
  {LINUXPAM,	STDERR,	EXPECT,	"Retype new UNIX password: ",0},
  {LINUXPAM,	STDIN,	SENDNEW,"\n",	0},
  {LINUXPAM,	STDIN,	DONE,	NULL,	0},

  {0,0,END,NULL,0}
};

SYSNAMES may only be useful for debugging, I figure it is nice to be able to
tell the user which script was used.

To save memory, the script could be chosen/created at compile time. But it's
not a lot of data unless we get lots of different scripts.

My binary implementing this is currently 6384 bytes when strip:ed.

Theory of operation is to weed out systems that have EXPECT lines in the
script that do not match data received from passwd, hopefully there is one
active system, at DONE, when passwd exits. If no script is finished by the
time passwd exits, it's an (as yet) unknown system and we'll need
information about that password changing dialogue. If a script reaches DONE
while passwd is still running, it will simply be made inactive. There needs
to be a timeout here for network directories and such to update though. A
couple of seconds should be enough for everybody. ;)


//Peter

More information about the openssh-unix-dev mailing list