Support for RFC4252 in sshd with PAM

david.hubbard at infracentric.com david.hubbard at infracentric.com
Fri Sep 28 23:23:46 AEST 2018 

Hi

 

I'm trying to integration a Java application using SSHJ
<https://github.com/hierynomus/sshj>  client-side - into OpenSSH 7.4.  This
is fine, except where I get to a password expiry situation.

 

Looking at RFC4252 <https://www.ietf.org/rfc/rfc4252.txt>  (which is
supported by SSHJ) I don't see any SSH_MSG_USERAUTH_PASSWD_CHANGEREQ [60]
messages getting passed from OpenSSH.  SSHJ expects these to allow prompting
for new password.

 

The only references to SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ in the OpenSSH
Portable code are in "sshconnect2.c" - which I believe is client-side.  

 

So is RFC4252 supported for sshd (server-side) ?

 

I have compiled OpenSSH Portable
<https://github.com/openssh/openssh-portable>  (v 7.8)  on Centos 7 (using
PAM) and got into debug mode 

 

In sshd_config I have 

 

UsePAM yes

PasswordAuthentication yes

ChallengeResponseAuthentication no

AuthenticationMethods password

 

I can see two phases where authentication is applied - the first.

 

debug3: mm_request_receive entering

debug1: do_pam_account: called

debug2: do_pam_account: auth information in SSH_AUTH_INFO_0

debug3: PAM: sshpam_passwd_conv called with 1 messages

debug3: PAM: do_pam_account pam_acct_mgmt = 12 (Authentication token is no
longer valid; new one required)

debug3: sshpam_password_change_required 1

debug3: mm_request_send entering: type 103

Accepted password for dhubbard2 from 192.168.13.1 port 50263 ssh2

debug1: monitor_child_preauth: dhubbard2 has been authenticated by
privileged process

debug3: mm_get_keystate: Waiting for new keys

debug3: mm_request_receive_expect entering: type 26

debug3: mm_request_receive entering

debug3: mm_get_keystate: GOT new keys

debug3: mm_auth_password: user authenticated [preauth]

 

However all I can see from the "password_change_required" is code in
auth-pam.c to set the auth token to PAM_CHANGE_EXPIRED_AUTHTOK, but no
RFC4252 style communication.

 

Then later.

 

debug2: ## DH: userauth_finish [preauth]

debug3: auth2_update_methods_lists: updating methods list after "password"
[preauth]

debug2: authentication methods list 0 complete [preauth]

debug2: ## DH: about to do_pam_account [preauth]

debug3: mm_do_pam_account entering [preauth]

debug3: mm_request_send entering: type 102 [preauth]

debug3: mm_request_receive_expect entering: type 103 [preauth]

debug3: mm_request_receive entering [preauth]

debug3: mm_do_pam_account returning 1 [preauth]

debug2: ## DH: done do_pam_account - no message [preauth]

debug3: send packet: type 52 [preauth]

 

i.e. no recognition of the expiry and no comms.

 

Am I missing something - like a config setting?  

 

Thanks in advance

David

More information about the openssh-unix-dev mailing list