Only one chance to enter a new password?

Darren Tucker dtucker at zip.com.au
Mon Jan 23 22:22:02 EST 2006 

On Mon, Jan 23, 2006 at 10:16:09AM +0000, Richard Dickens wrote:
> UsePAM yes
> UsePrivilegeSeparation no

OK, think I see what's going on.  It's a non-issue for command line clients
since the message will remain on the screen.

Please try the attached 3-chance patch (against -current but should
apply to 4.2p1 as well).

> UsePrivilegeSeparation no is used to make sure messages get logged.

Could you please elaborate on that?  As far as possible, sshd should behave
the same with or without privsep wrt PAM, so I want to figure out if it's
a known issue or something new.

Index: auth-pam.c
===================================================================
RCS file: /usr/local/src/security/openssh/cvs/openssh_cvs/auth-pam.c,v
retrieving revision 1.127
diff -u -p -r1.127 auth-pam.c
--- auth-pam.c	28 Sep 2005 12:33:27 -0000	1.127
+++ auth-pam.c	23 Jan 2006 11:15:04 -0000
@@ -979,6 +979,8 @@ static struct pam_conv tty_conv = { sshp
 void
 do_pam_chauthtok(void)
 {
+	int count = 0;
+
 	if (use_privsep)
 		fatal("Password expired (unable to change with privsep)");
 	sshpam_err = pam_set_item(sshpam_handle, PAM_CONV,
@@ -987,10 +989,16 @@ do_pam_chauthtok(void)
 		fatal("PAM: failed to set PAM_CONV: %s",
 		    pam_strerror(sshpam_handle, sshpam_err));
 	debug("PAM: changing password");
-	sshpam_err = pam_chauthtok(sshpam_handle, PAM_CHANGE_EXPIRED_AUTHTOK);
-	if (sshpam_err != PAM_SUCCESS)
-		fatal("PAM: pam_chauthtok(): %s",
-		    pam_strerror(sshpam_handle, sshpam_err));
+	do {
+		sshpam_err = pam_chauthtok(sshpam_handle,
+		    PAM_CHANGE_EXPIRED_AUTHTOK);
+		fprintf(stderr, "Password change: %s\n",
+		    pam_strerror(sshpam_handle, sshpam_err));
+		if (sshpam_err == PAM_SUCCESS)
+			return;
+	} while (count++ < 3);
+	fatal("PAM: pam_chauthtok(): %s",
+	    pam_strerror(sshpam_handle, sshpam_err));
 }
 
 void

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list