Password change required but no TTY available

Daniel Wagner daniel.wagner at siemens.com
Fri May 25 00:39:41 AEST 2018


Hi,

I upgraded for one of our products the SSH server to the portal OpenSSH
7.7p1 release. While testing I observed a change in the behavior for
expired passwords.

The commit 7c8568576071 ("upstream: switch over to the new
authorized_keys options API and") dropped the 'allowed pty' option when
the password has expired. By adding this hack here, I got it
back to the old behavior:


--- a/auth-passwd.c
+++ b/auth-passwd.c
@@ -62,6 +62,7 @@ extern ServerOptions options;
 extern login_cap_t *lc;
 #endif

+extern struct sshauthopt *auth_opts;

 #define DAY		(24L * 60 * 60) /* 1 day in seconds */
 #define TWO_WEEKS	(2L * 7 * DAY)	/* 2 weeks in seconds */
@@ -122,8 +123,11 @@ auth_password(struct ssh *ssh, const char *password)
 	}
 #endif
 	result = sys_auth_passwd(ssh, password);
-	if (authctxt->force_pwchange)
+	if (authctxt->force_pwchange) {
 		auth_restrict_session(ssh);
+		/* Allow password change via pty */
+		auth_opts->permit_pty_flag = 1;
+	}
 	return (result && ok);
 }


Is this an intentional change (auth_restrict_session) or is just an
oversight to enable the PTY back to allow password changes remotely?

Maybe I should also explain why the change is a problem for us. We have
a product which is configured and controlled via SSH. Although, each
device gets an individual password by the factory, we still would like
to force the customer to set the password new one the initial connection
attempt. 'passwd -e' was our approach so far to expire the password for
the account.

Thanks,
Daniel


More information about the openssh-unix-dev mailing list