Is there such a thing as "Password Safe Forwarding"?

Stephen Harris lists at
Tue Jun 19 10:36:01 AEST 2018

On Tue, Jun 19, 2018 at 02:13:56AM +0200, Jochen Bern wrote:
> Enter a corporate password policy that requires passwords to be complex,
> different everywhere, and of limited lifetime. It helpfully suggests the
> use of password safes, but doesn't allow the lifetime to be extended by
> making the password *really* complex.

A sufficiently advanced password vault (e.g. CyberArk EPV) will allow a
user to request the current password and then will reset the password
some time later (eg 24 hours)... and can ensure passwords are reset
every 80 days (or whatever) so they don't expire.  There's a number
of products on the market that can do this.  In the worst case they
ssh into the account with the old password, run the "passwd" command
and set a new one.  In a good case they have access to a privileged
account (eg one with "sudo passwd") so they can reset the password
even if the old one doesn't work.

In this way the password is only known for a short period of time.

> Hence my question: Are there ideas/plans/projects to have an OpenSSH
> connection provide a communication channel between password safe(*) and
> the remote password-changing mechanisms, similar to how Authentication
> Agent Forwarding mediates communication between a local ssh-agent and
> remote ssh/scp/sftp/... clients? Would there be suitable pre-existing
> protocols to communicate stuff like "password change needed yes/no",
> "new password failed, please retry" etc. etc. between the end points?

If you go down this route then it sounds like a a PAM password change
module that can push the new password into the vault might be a better
option, so if the "passwd" command is run then it'll also push it.

I don't think sshd is the right place for this.



More information about the openssh-unix-dev mailing list