SSH Bug 3.5p1 Expired Passwords
Darren Tucker
dtucker at zip.com.au
Thu Feb 20 20:43:45 EST 2003
Frank Beckmann wrote:
> is this Problem Fix in a new Snapshot Version of Openssh ?
> The Fix has only run under Protokoll 1 not under Protokoll 2 :-(
[snip]
> > #if 1
> > case PAM_NEW_AUTHTOK_REQD:
No, to my knowledge there is no fix for this problem is in the current
tree. You have a couple of new options, though.
1) Using PAM.
This patch:
http://bugzilla.mindrot.org/attachment.cgi?id=198&action=view
(attached to this bug: http://bugzilla.mindrot.org/show_bug.cgi?id=423)
will (should) allow PAM NEW_AUTHTOK_REQD to work with and without
privsep.
Althought it seems to work, this will probably never make it into the
main tree because a) it makes a privsep call from the shell child
process and b) Damien has been threatening to replace the existing PAM
module.
2) Without PAM
This patch
http://www.zip.com.au/~dtucker/openssh/openssh-3.5p1-passexpire16.patch
(more info: http://www.zip.com.au/~dtucker/openssh/ and
http://bugzilla.mindrot.org/show_bug.cgi?id=14) will enable password
expiration without PAM on AIX, Solaris and a few others.
I'm hoping that this or something like it will make it to the main tree
but there seems to be a lack of interest at the moment.
The various patches have been downloaded from my page just under a
thousand times. I've been able to resolve the half-dozen or so problems
people have emailed me with, so it's probably working for some people
(and, I note, IBM are now shipping AIX packages that do password expiry;
I don't know if they're based on these).
So how about, people? What needs to be done to it?
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list