[PATCH] Password expiry with Privsep and PAM
Jan-Frode Myklebust
janfrode at parallab.no
Wed Dec 11 02:01:42 EST 2002
On Tue, Dec 10, 2002 at 11:51:16PM +1100, Darren Tucker wrote:
> Attached is a patch that implements password expiry with PAM and
> privsep. It works by passing a descriptor to the tty to the monitor,
> which sets up a child with that tty as stdin/stdout/stderr, then runs
> chauthtok(). No setuid helpers.
>
> I used some parts of Michael Steffens' patch (bugid #423) to make it
> work on HP-UX.
>
> It's still rough but it works. Tested on Solaris 8 and HPUX 11 (trusted
> configuration).
>
> Comments?
>
Haven't tested this version, but a pretty recent one
(openssh-3.5p1-passexpire8), and one thing that prevents me from using
it is that it doesn't honor the password rules defined in /etc/security/user.
ie. minalpha, minother, minlen, mindiff, etc..
With your patch the users can choose zero lenght passwords. Not good.
Unfortunately I haven't found any AIX library calls that helps here, so I
think OpenSSH will have to implement these rules, or use the systems
/bin/passwd which should do the right thing. BTW: why isn't the patch
using /bin/passwd ?
-jf
More information about the openssh-unix-dev
mailing list