SSH / PAM / Kerberos / password aging

Ben Lindstrom mouring at etoh.eviladmin.org
Thu Mar 28 08:31:03 EST 2002


On Wed, 27 Mar 2002, Nicolas Williams wrote:

> On Tue, Mar 26, 2002 at 05:39:09PM -0500, Nicolas Williams wrote:
> > On Tue, Mar 26, 2002 at 05:26:09PM -0500, Nicolas Williams wrote:
> > > On Tue, Mar 26, 2002 at 02:13:26PM -0800, Frank Cusack wrote:
> > > > Qualified good.  Wouldn't it be better to do pam_acct_mgmt() before kbdint
> > > > et al complete?  Your solution requires a rewrite of all PAM modules.
> > >
> > > Indeed. Fine. So move pam_acct_mgmt() into do_pam_authenticate() and
> > > also pam_chauthtok().
> > >
> > > Fine idea. I like it.
> > >
> > > > /fc
> >
> > I'll post a patch tomorrow.
>
> As you can see from my latest attachement to bug 188 the patch is a bit
> more intricate than I'd hoped for. It's very simple for kbd-interactive
> userauth, and not so simple for password userauth.
>
> For password userauth support for SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ
> must be added or password aging support (in password userauth) must be
> dropped altogether. My patch disables password aging in password
> userauth. There's more code in session.c and auth-pam.c worth ripping
> out if tty-based password aging is removed.
>
I believe if you checked out the CVS tree both server and client support
should have been commited for PASSWD_CHANGEREQ.

Or I remember the converstation and the commiting some patches for this
in --head.

- Ben




More information about the openssh-unix-dev mailing list