Password change required but no TTY available
Damien Miller
djm at mindrot.org
Fri May 25 17:13:59 AEST 2018
On Fri, 25 May 2018, Daniel Wagner wrote:
> Hi Damien,
>
> On 05/25/2018 02:37 AM, Damien Miller wrote:
> > I think it's probably okay to allow the PTY in restricted sessions
> > generally.
> >
> > The global PermitTTY option as well as any authorized_keys options will
> > still apply.
> >
> > Does this solve your problem?
> >
> > diff --git a/auth.c b/auth.c
> > index 63366768..4fc95457 100644
> > --- a/auth.c
> > +++ b/auth.c
> > @@ -1080,6 +1080,7 @@ auth_restrict_session(struct ssh *ssh)
> >
> > /* A blank sshauthopt defaults to permitting nothing */
> > restricted = sshauthopt_new();
> > + restricted->permit_pty_flag = 1;
> > restricted->restricted = 1;
> >
> > if (auth_activate_options(ssh, restricted) != 0)
>
> Yes, this does also work and it looks way better than my hack :)
Thanks, I've committed this. It will be in OpenSSH 7.8 and I'll also
cherry-pick it for the V_7_7 stable git branch.
-d
----
commit fbb4b5fd4f8e0bb89732670a01954e18b69e15ba (HEAD -> master, origin/master, origin/HEAD)
Author: djm at openbsd.org <djm at openbsd.org>
Date: Fri May 25 07:11:01 2018 +0000
upstream: Do not ban PTY allocation when a sshd session is restricted
because the user password is expired as it breaks password change dialog.
regression in openssh-7.7 reported by Daniel Wagner
OpenBSD-Commit-ID: 9fc09c584c6f1964b00595e3abe7f83db4d90d73
More information about the openssh-unix-dev
mailing list