ssh daemon fails to call pam when user does not exist in /etc/passwd
Damien Mascord
tusker at tusker.org
Mon Jul 5 18:12:17 EST 2004
Hi Darren,
Setting the sp_expire flag to -1 causes the following to happen:
debug3: channel 0: close_fds r -1 w -1 e -1
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for <username>
(current) UNIX password:
Seems as though ssh and/or PAM now thinks that the password is now expired.
Now, even though i set sp_expire back to 0, it still thinks the password
is expired... upon a reboot, it thinks it's not expired again.
Could this be a possible bug within the nss module? Is there an RFC
that refers to the sp_expire field to see what the "official" behaviour
should be ?
Damien
Darren Tucker wrote:
> Damien Mascord wrote:
>
>> It was in my unpatched sshd_config, but wasn't present in the
>> (patched) /usr/local/etc version. Thanks for the heads up.
>>
>> With or without the patch, I am able to login correctly. It seems as
>> though a restart of ssh was needed to enable the new NSS methods for
>> some reason. Not sure what the cause of the issue was, if I notice it
>> on a new installation, I will try and narrow this down, thanks for
>> your help.
>
>
> Probably picked up at initialisation time by libc and not checked again.
>
>> Since this is the case, I am assuming that PAM is required if
>> alternate NSS methods are in use ? Is there any way around this?
>
>
> Provide getpwnam and friends behave as sshd expects (ie the same as for
> a local account), no, PAM should not be required. In your case, sshd
> thinks the account is expired because sp_expire == 0 (which sshd
> considers to mean that your account expired some time in 1970 :-),
> whereas sshd expects "-1" if account expiry is disabled.
>
> It might be reasonable to check for zero too, *provided* that does not
> have a special meaning on some platform. (sp_lstchg == 0 is used on
> many platforms to indicate a root-forced password change, but I don't
> know if sp_expire is used for something similar).
>
>
> ------------------------------------------------------------------------
>
> Index: auth-shadow.c
> ===================================================================
> RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-shadow.c,v
> retrieving revision 1.5
> diff -u -p -r1.5 auth-shadow.c
> --- auth-shadow.c 21 Feb 2004 23:22:05 -0000 1.5
> +++ auth-shadow.c 5 Jul 2004 07:17:23 -0000
> @@ -57,7 +57,7 @@ auth_shadow_acctexpired(struct spwd *spw
> debug3("%s: today %d sp_expire %d days left %d", __func__, (int)today,
> (int)spw->sp_expire, daysleft);
>
> - if (spw->sp_expire == -1) {
> + if (spw->sp_expire == -1 || spw->sp_expire == 0) {
> debug3("account expiration disabled");
> } else if (daysleft < 0) {
> logit("Account %.100s has expired", spw->sp_namp);
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
--
Damien Mascord (tusker at tusker dot org)
GPG key 2CB181BE / 93B2 EF21 0C7C F022 F467 7966 219E 92B3 2CB1 81BE
More information about the openssh-unix-dev
mailing list