OpenSSH 3.8 and password expiry.

[Darren Tucker]

Hi All.
	I'm pleased to report that as of yesterday, OpenSSH -current now 
supports forced changes of expired passwords on most platforms, and bug 
#14 is now closed.

	Specifically, AIX's native authentication, BSD Authentication and 
shadow passwords with the expiry field are supported.  The password is 
changed by exec'ing /usr/bin/passwd in the session.  Interested parties 
should grab a snapshot and try it.

	In addition, SSHv1 connections with UsePrivilegeSeparation=yes and 
UsePAM=yes will use the same /usr/bin/passwd mechanism.  Some time ago, 
a patch to do SSHv2 password changes via keyboard-interactive was also 
merged, and that should work with or without privsep.

	For those who have been using my expiry patches, you should be aware 
that there are some differences in behaviour between them and -current:
1) password expiry is only checked for password authentication
2) after a change (successful or otherwise), the session is terminated 
and the user must log in again
3) AIX's loginsuccess() is not called for non-password authentications
4) There is no warning of pending account or password expirations for 
shadow passwords.
5) Last login times won't be displayed when lastlog is readable only be 
root.

	Most of the other authentication-related fixes have been merged into 
-current.

	1) and 2) are how it will probably stay.  3) and 5) probably won't be 
fixed until after the 3.8 release.  I'm hoping to have 4) fixed in the 
next couple of days (if anyone wants patches to test, let me know).

	For those used to my patches, I will do one more series against 3.8x 
with the same behaviour as present (including the not-yet-merged bits). 
  Once those bits are merged post-3.8, I don't plan on any further patches.

	Thanks to all who contributed patches, fixes, bug reports and testing 
of the patches during the last 18 months or so[1].  Not all of those 
contributions ended up being used in the final solution but all were 
valuable in shaping it.

	Again, I encourage you to try a snapshot and report success or failure 
(or queries) to the list.

		-Daz.

[1] Pablo Sor, Mark Pitt, Zdenek Tlusty, Kevin Cawlfield, Dan Oviatt, 
Ravinder Sekhon, Scott Burch and Andrew Elwell.  Apologies to anyone I 
missed.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.