Running sshd with Privilege Seperation drops connection on password change

Darren Tucker dtucker at zip.com.au
Mon Dec 7 15:47:48 AEDT 2015


There's 3 ways that sshd will force you to change an expired password
when you have PAM enabled (which you do):
1) if you're using keyboard-interactive authentication, sshd will call
pam_chauthtok() as part of the authentication.  This should work with
or without privsep.

If you authenticate some other way (eg password), sshd will force you
to change your password once you start your session.
2) if you have privilege separation enabled, by the time your session
starts sshd has dropped the privileges needed to successfully call
pam_chauthtok().  Instead, it'll exec /bin/passwd.
3) if you have privsep disabled, sshd is still running as root and
will call pam_chauthtok().

On Sat, Dec 5, 2015 at 3:23 AM, Nasim, Kam <Kam.Nasim at windriver.com> wrote:
[...]
> PROBLEM:
> If I expire a linux user's password (passwd -e <user>) and then log in via ssh, it will prompt you for a password change.
> On changing the password successfully, sshd will drop the connection and client has to reconnect.

That's working as intended, and you should have seen text to that
effect.  In session.c (simplified):

static void
do_pwchange(Session *s)
{
        fprintf(stderr, "WARNING: Your password has expired.\n");
        if (s->ttyfd != -1) {
                fprintf(stderr,
                    "You must change your password now and login again!\n");
                execl(_PATH_PASSWD_PROG, "passwd", (char *)NULL);

> If I disable Privilege Seperation ("UsePrivilegeSeperation no") in sshd config then the problem goes away but that opens up a security loophole where the process is running at root privilege even prior to authentication.

RIght, see #3 above.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.


More information about the openssh-unix-dev mailing list