Bug/RFE - Reacting to system specifying expired password when chrooting

Peter Stuge peter at stuge.se
Tue Jan 26 03:34:23 AEDT 2021

Rick Greene wrote:
> User is set up with /sbin/nologin as the shell
> what I'm thinking is it should be possible to change the order of things
> such that, if PAM returns that password change required flag, the login 
> process could initiate the password change process *before* going into 
> the chroot environment for the user.

It looks like that would work, since the passwd command to change the
password is executed directly by sshd, without using the user's shell.

You could try the untested patch I've attached if you like.

But there may still be concerns about so much processing going on before
the configured chroot takes effect. I would have to think long about
such a change before I'd enable it on my systems.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: openssh-pwchange_without_chroot.patch
Type: text/x-diff
Size: 572 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20210125/8b8df67a/attachment.bin>

More information about the openssh-unix-dev mailing list