Solaris password requirements not enforced

Darren Tucker dtucker at zip.com.au
Thu Aug 12 18:23:10 EST 2004


Srinivas Gopaladasu wrote:
> Darren Tucker wrote:
> 
>> It would be possible within the protocol to have a final message in 
>> the kbdint round with the message in the "instruction" field but zero 
>> prompts.  I don't know how hard that would be to implement.  There's a 
>> couple of other options (USERAUTH_BANNER, eg [1] or packet_disconnect). 
> 
> I did not get this.

It's an example of passing messages from, in this case, PAM account 
modules through the privsep master/slave arrangement and back to the 
user via USERAUTH_BANNER.  It's not directly applicable to your problem 
unless you do some hacking on it.

> Can you please give me more details how I can atleast display the error 
> messages?

If you disable pam_chauthtok in sshpam_thread [1] then sshd will fall 
back to exec'ing /usr/bin/passwd (if privsep is on) or pam_chauthtok() 
in the session (if privsep is off).

> Or will you be able to give me a patch?

Not right now, possibly later.

[1] In sshpam_thread in auth-pam.c, find this block:
	if (compat20) {
		if (!do_pam_account())
			goto auth_fail;
and change "compat20" to "0" (ie zero) then recompile.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.




More information about the openssh-unix-dev mailing list