[Bug 2796] sshd should allow clients to explicitly request the password change

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Thu Oct 19 10:19:08 AEDT 2017


Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
                 CC|                            |dtucker at zip.com.au

--- Comment #1 from Darren Tucker <dtucker at zip.com.au> ---
I spent a long time looking into this a long time ago (bug #14!).

The SSH protocol has a mechanism for this called
SSH_MSG_USERAUTH_PASSWD_CHANGEREQ (RFC 4252 section 8).  Unfortunately
I know of no usable standard interface that implements the required

I've looked at:

 - PAM.  pam_chauthtok() requires that it can interact directly with
the user, but during PASSWD_CHANGEREQ it can't.  You could potentially
have a blind conversation function that responds, but it could be
getting "enter new password" twice, maybe with "enter old password"
before that.  It could even be asking "enter message to be broadcast to
all users" for all it knows.  It does use this during
keyboard-interactive when it can interact.

 - execing /bin/passwd.  That's what it does when it gets to a tty and
your password is still expired.

 - directly manipulating password files.  There's lots of problems with
this.  While getpwent and friends provide a standard way to read them,
there's no equivalent standard API for writing them.  The files and
their formats vary by platform (eg passwd, shadow, master.passwd and
probably others), and even if you could this would not implement the
system's password complexity rules.  I did consider wrapping
/bin/passwd somehow but that would be fragile.

 - some platforms-specific interfaces. The only one I recall is AIX's
putuserpw() which would actually work, but I don't know of any others

You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list