Solaris password requirements not enforced
Darren Tucker
dtucker at zip.com.au
Thu Aug 12 18:23:10 EST 2004
Srinivas Gopaladasu wrote:
> Darren Tucker wrote:
>
>> It would be possible within the protocol to have a final message in
>> the kbdint round with the message in the "instruction" field but zero
>> prompts. I don't know how hard that would be to implement. There's a
>> couple of other options (USERAUTH_BANNER, eg [1] or packet_disconnect).
>
> I did not get this.
It's an example of passing messages from, in this case, PAM account
modules through the privsep master/slave arrangement and back to the
user via USERAUTH_BANNER. It's not directly applicable to your problem
unless you do some hacking on it.
> Can you please give me more details how I can atleast display the error
> messages?
If you disable pam_chauthtok in sshpam_thread [1] then sshd will fall
back to exec'ing /usr/bin/passwd (if privsep is on) or pam_chauthtok()
in the session (if privsep is off).
> Or will you be able to give me a patch?
Not right now, possibly later.
[1] In sshpam_thread in auth-pam.c, find this block:
if (compat20) {
if (!do_pam_account())
goto auth_fail;
and change "compat20" to "0" (ie zero) then recompile.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list