ssh daemon fails to call pam when user does not exist in /etc/passwd

Damien Mascord tusker at tusker.org
Mon Jul 5 18:12:17 EST 2004


Hi Darren,

Setting the sp_expire flag to -1 causes the following to happen:

debug3: channel 0: close_fds r -1 w -1 e -1
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for <username>
(current) UNIX password:

Seems as though ssh and/or PAM now thinks that the password is now expired.

Now, even though i set sp_expire back to 0, it still thinks the password 
is expired...  upon a reboot, it thinks it's not expired again.

Could this be a possible bug within the nss module?  Is there an RFC 
that refers to the sp_expire field to see what the "official" behaviour 
should be ?

Damien

Darren Tucker wrote:

> Damien Mascord wrote:
> 
>> It was in my unpatched sshd_config, but wasn't present in the 
>> (patched) /usr/local/etc version.  Thanks for the heads up.
>>
>> With or without the patch, I am able to login correctly.  It seems as 
>> though a restart of ssh was needed to enable the new NSS methods for 
>> some reason.  Not sure what the cause of the issue was, if I notice it 
>> on a new installation, I will try and narrow this down, thanks for 
>> your help.
> 
> 
> Probably picked up at initialisation time by libc and not checked again.
> 
>> Since this is the case, I am assuming that PAM is required if 
>> alternate NSS methods are in use ?   Is there any way around this?
> 
> 
> Provide getpwnam and friends behave as sshd expects (ie the same as for 
> a local account), no, PAM should not be required.  In your case, sshd 
> thinks the account is expired because sp_expire == 0 (which sshd 
> considers to mean that your account expired some time in 1970 :-), 
> whereas sshd expects "-1" if account expiry is disabled.
> 
> It might be reasonable to check for zero too, *provided* that does not 
> have a special meaning on some platform.  (sp_lstchg == 0 is used on 
> many platforms to indicate a root-forced password change, but I don't 
> know if sp_expire is used for something similar).
> 
> 
> ------------------------------------------------------------------------
> 
> Index: auth-shadow.c
> ===================================================================
> RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-shadow.c,v
> retrieving revision 1.5
> diff -u -p -r1.5 auth-shadow.c
> --- auth-shadow.c	21 Feb 2004 23:22:05 -0000	1.5
> +++ auth-shadow.c	5 Jul 2004 07:17:23 -0000
> @@ -57,7 +57,7 @@ auth_shadow_acctexpired(struct spwd *spw
>  	debug3("%s: today %d sp_expire %d days left %d", __func__, (int)today,
>  	    (int)spw->sp_expire, daysleft);
>  
> -	if (spw->sp_expire == -1) {
> +	if (spw->sp_expire == -1 || spw->sp_expire == 0) {
>  		debug3("account expiration disabled");
>  	} else if (daysleft < 0) {
>  		logit("Account %.100s has expired", spw->sp_namp);
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev


-- 
Damien Mascord (tusker at tusker dot org)
GPG key 2CB181BE / 93B2 EF21 0C7C F022 F467  7966 219E 92B3 2CB1 81BE




More information about the openssh-unix-dev mailing list