Patch for changing expired passwords

[Kevin Steves]

On Fri, 24 Aug 2001, Dave Dykstra wrote:
:On Thu, Aug 23, 2001 at 12:42:40PM -0700, Kevin Steves wrote:
:> patch looks ok for systems with spwd. i think we need something like this,
:> but it should ideally work for all or most systems we support.
:
:I agree with you.  However, I think the best way to do that is to put in a
:solution that works at least on the most common systems; then people who
:need it on other systems will have something to patch for the next release.
:
:I have tested that it at least compiles and runs on
:    Solaris 5.5.1 & 5.7
:    Sunos 4.1.4
:    HP-UX 10.20
:    Linux Redhat 6.2
:    Irix 6.2
:    Unixware 1.1.2
:
:> in the case
:> of hp-ux for example, it has spwd and pr_passwd, but spwd can't currently
:> be used, and i don't think it should be.
:
:I see that my HP-UX machine does not have /etc/shadow so I must not have
:tested expiration over there.  I was unaware of pr_passwd, but now that you
:mention it I see it documented under getprpwent().  However, it says it is
:"for trusted systems only" and mine isn't set up that way so I won't be
:able to test it.

hp-ux doesn't use /etc/shadow (yet).  it uses the secureware-based /tcb/
stuff.  it has both getspent() and getprpwent().  today openssh will not
use getpwent() because DISABLE_SHADOW is defined.  10.20 could use support
for password expiration, because it can't use PAM, but that would require
changes to use getpwent() in some cases or to use the expire fields from
getprpwent().

:> what changes might be in openssh native, and what are in
:> portable only?
:
:All the changes that were needed in openssh native were already done by
:Markus; the patch I submitted is for portable only.

i think basic changes for checking expired passwords (and accounts) should
perhaps go upstream.  right now openssh native doesn't check pw_expire,
pw_change, and i'm not sure about its BSD_AUTH changes.  i recall NetBSD
may have changes to do the former.