[Bug 2796] sshd should allow clients to explicitly request the password change

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Fri Oct 20 10:16:32 AEDT 2017


--- Comment #7 from Darren Tucker <dtucker at zip.com.au> ---
(In reply to Tomas Mraz from comment #5)
> from the sshd either via the conversation function

This is problematic for the reason I described above: at the required
point in the protocol there's no mechanism to interact with the user,
so the conversation function would have to make (possibly unwarranted)
assumptions about what each prompt means.

> or via some other out of band mechanism. Then it would set
> the PAM_AUTHTOK (and maybe also PAM_OLDAUTHTOK).

I'd love for sshd be able to set PAM_AUTHTOK and PAM_OLDAUTHTOK via
pam_set_item() but by my read of the original RFC the're not exposed to
applications and a quick test with LinuxPAM backs this up.

(aside: it seems like they don't even exist in the XSSO spec because
they're misspelled:

You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

More information about the openssh-bugs mailing list