[Ans.]openssh3.5p1 version ... Password aging problem???

Ben Lindstrom mouring at etoh.eviladmin.org
Tue May 13 00:37:11 EST 2003 

Ugh.. Hell no.

I believe the decision has been made to break from RFC and implement
password change ala 'ssh1' style.  The RFC is just too restrictive.

- Ben

On Mon, 12 May 2003, Peter Stuge wrote:

> On Mon, May 12, 2003 at 05:08:18PM +1000, Darren Tucker wrote:
> > This is a known issue with the current code.  Depending on whether or not
> > you're using PAM, the bugs (with potential solutions) are:
>
> What is the status on interfacing with the system passwd command for
> changing passwords? It's only for non-PAM situations, but is it still
> relevant there? I have tried one way of setting up the "chat scripts" but
> that failed, I've implemented the skeleton for a second try but have been
> too busy with other things to finish it for wider testing.
>
> Should I try to finish the prototype ASAP?
>
> These are the current data structures:
>
> struct SYSNAMES systems[]={
>   /* name,		tag,		current script position */
>   {"MacOS X 10.2",	OSX_10_2,	-1},
>   {"Linux-PAM",		LINUXPAM,	-1},
>   {NULL,0,0}
> };
>
> struct SCRIPT script[]={
>   /* system,	fd,	action,	text,	usec delay (default:1.5e6) */
>   {OSX_10_2,	STDERR,	EXPECT,	"password:",0},
>   {OSX_10_2,	STDIN,	SENDOLD,"\n",	0},
>   {OSX_10_2,	STDERR,	EXPECT,	"New password:",0},
>   {OSX_10_2,	STDIN,	SENDNEW,"\n",	0},
>   {OSX_10_2,	STDERR,	EXPECT,	"Retype new password:",0},
>   {OSX_10_2,	STDIN,	SENDNEW,"\n",	0},
>   {OSX_10_2,	STDIN,	DONE,	NULL,	0},
>
>   {LINUXPAM,	STDERR,	EXPECT,	"password:",0},
>   {LINUXPAM,	STDIN,	SENDOLD,"\n",	0},
>   {LINUXPAM,	STDERR,	EXPECT,	"New UNIX password: ",0},
>   {LINUXPAM,	STDIN,	SENDNEW,"\n",	0},
>   {LINUXPAM,	STDERR,	EXPECT,	"Retype new UNIX password: ",0},
>   {LINUXPAM,	STDIN,	SENDNEW,"\n",	0},
>   {LINUXPAM,	STDIN,	DONE,	NULL,	0},
>
>   {0,0,END,NULL,0}
> };
>
> SYSNAMES may only be useful for debugging, I figure it is nice to be able to
> tell the user which script was used.
>
> To save memory, the script could be chosen/created at compile time. But it's
> not a lot of data unless we get lots of different scripts.
>
> My binary implementing this is currently 6384 bytes when strip:ed.
>
> Theory of operation is to weed out systems that have EXPECT lines in the
> script that do not match data received from passwd, hopefully there is one
> active system, at DONE, when passwd exits. If no script is finished by the
> time passwd exits, it's an (as yet) unknown system and we'll need
> information about that password changing dialogue. If a script reaches DONE
> while passwd is still running, it will simply be made inactive. There needs
> to be a timeout here for network directories and such to update though. A
> couple of seconds should be enough for everybody. ;)
>
>
> //Peter
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>

More information about the openssh-unix-dev mailing list