bugzilla-daemon at mindrot.org
2004-Feb-07 22:29 UTC
[Bug 14] Can't change expired /etc/shadow password without PAM
http://bugzilla.mindrot.org/show_bug.cgi?id=14
dtucker at zip.com.au changed:
What |Removed |Added
----------------------------------------------------------------------------
OtherBugsDependingO| |793
nThis| |
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon at mindrot.org
2004-Feb-07 22:34 UTC
[Bug 14] Can't change expired /etc/shadow password without PAM
http://bugzilla.mindrot.org/show_bug.cgi?id=14
dtucker at zip.com.au changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #5 is|0 |1
obsolete| |
Attachment #278 is|0 |1
obsolete| |
------- Additional Comments From dtucker at zip.com.au 2004-02-08 09:34 -------
Created an attachment (id=540)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=540&action=view)
Hook shadow expiry into do_pwchange
This is basically a simple move of the existing shadow password expiry check
from auth.c into a new file auth-shadow.c, plus the hook to call it from
auth-passwd.c.
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon at mindrot.org
2004-Feb-08 01:38 UTC
[Bug 14] Can't change expired /etc/shadow password without PAM
http://bugzilla.mindrot.org/show_bug.cgi?id=14 ------- Additional Comments From dtucker at zip.com.au 2004-02-08 12:38 ------- Created an attachment (id=541) --> (http://bugzilla.mindrot.org/attachment.cgi?id=541&action=view) Hook AIX password expiry into do_pwchange This moves the AIX implementation of sys_auth_passwd to openbsd-compat/port-aix.c and adds checking for expired passwords. ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon at mindrot.org
2004-Feb-08 01:42 UTC
[Bug 14] Can't change expired /etc/shadow password without PAM
http://bugzilla.mindrot.org/show_bug.cgi?id=14 ------- Additional Comments From dtucker at zip.com.au 2004-02-08 12:42 ------- Should have mentioned with earlier patches: OpenSSH -current now contains support for changing expired passwords by exec'ing /usr/bin/passwd. The previous 2 patches will apply only to recent snapshots. ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon at mindrot.org
2004-Feb-08 03:10 UTC
[Bug 14] Can't change expired /etc/shadow password without PAM
http://bugzilla.mindrot.org/show_bug.cgi?id=14 ------- Additional Comments From dtucker at zip.com.au 2004-02-08 14:10 ------- Created an attachment (id=542) --> (http://bugzilla.mindrot.org/attachment.cgi?id=542&action=view) Hook the SSHv1 PAM password expired case into do_pwchange Call do_pwchange for expired PAM passwords when Protocol=1 and UsePrivilegeSeparation=yes. ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon at mindrot.org
2004-Feb-10 00:33 UTC
[Bug 14] Can't change expired /etc/shadow password without PAM
http://bugzilla.mindrot.org/show_bug.cgi?id=14
dtucker at zip.com.au changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #542 is|0 |1
obsolete| |
------- Additional Comments From dtucker at zip.com.au 2004-02-10 11:33 -------
Created an attachment (id=543)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=543&action=view)
Use do_pwchange for SSHv1 password change without privsep
Also replaces sshpam_new_authtok_reqd with session->force_pwchange and
removes
redundant functions from auth-pam.c.
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon at mindrot.org
2004-Feb-10 00:57 UTC
[Bug 14] Can't change expired /etc/shadow password without PAM
http://bugzilla.mindrot.org/show_bug.cgi?id=14 ------- Additional Comments From djm at mindrot.org 2004-02-10 11:57 ------- (From update of attachment 543)>+ if (options.use_pam && !use_privsep && s->authctxt->force_pwchange) { >+ display_loginmsg(); > do_pam_chauthtok(); > /* XXX - signal [net] parent to enable forwardings...>- if (s->authctxt->force_pwchange) { >+ if (s->authctxt->force_pwchange && !(options.use_pam && !use_privsep)) { > do_setusercontext(pw); > child_close_fds(); > do_pwchange(s);What about the use_pam == 1, use_privsep == 1 and authctxt->force_pwchange == 1 case? ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon at mindrot.org
2004-Feb-10 01:05 UTC
[Bug 14] Can't change expired /etc/shadow password without PAM
http://bugzilla.mindrot.org/show_bug.cgi?id=14
djm at mindrot.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #540| |ok
Status| |
------- Additional Comments From djm at mindrot.org 2004-02-10 12:05 -------
(From update of attachment 540)
I'm not sure we need a while auth-shadow.h for a single function - is there
anywhere else the prototype could be stashed? (even as an extern in the file
where it is used)
Otherwise OK.
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon at mindrot.org
2004-Feb-10 01:07 UTC
[Bug 14] Can't change expired /etc/shadow password without PAM
http://bugzilla.mindrot.org/show_bug.cgi?id=14
djm at mindrot.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #541| |ok
Status| |
------- Additional Comments From djm at mindrot.org 2004-02-10 12:07 -------
(From update of attachment 541)
looks OK to me, but you are the AIX expert.
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon at mindrot.org
2004-Feb-10 01:12 UTC
[Bug 14] Can't change expired /etc/shadow password without PAM
http://bugzilla.mindrot.org/show_bug.cgi?id=14 ------- Additional Comments From dtucker at zip.com.au 2004-02-10 12:12 -------> What about the use_pam == 1, use_privsep == 1 and authctxt->force_pwchange == 1case? This one will catch that: + if (s->authctxt->force_pwchange && !(options.use_pam && !use_privsep)) [...] do_pwchange() = 1 && !(1 && !1) = 1 && !(0) = 1 && 1 do_pam_chauthtok() should only be called for use_pam = 1 and use_privsep = 0. The logic could possibly be clearer, though. ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon at mindrot.org
2004-Feb-10 01:16 UTC
[Bug 14] Can't change expired /etc/shadow password without PAM
http://bugzilla.mindrot.org/show_bug.cgi?id=14 ------- Additional Comments From dtucker at zip.com.au 2004-02-10 12:16 -------> I'm not sure we need a while auth-shadow.h for a single functionI had thought that other shadow functions would go there too, eg auth_shadow_acctexpired(). We could put them in auth.h instead and add auth-shadow.h should it ever be worth it. ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon at mindrot.org
2004-Feb-10 01:24 UTC
[Bug 14] Can't change expired /etc/shadow password without PAM
http://bugzilla.mindrot.org/show_bug.cgi?id=14 ------- Additional Comments From djm at mindrot.org 2004-02-10 12:24 ------- Could it be simplified by resetting authctxt->force_pwchange after do_pam_chauthtok()? ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon at mindrot.org
2004-Feb-10 01:37 UTC
[Bug 14] Can't change expired /etc/shadow password without PAM
http://bugzilla.mindrot.org/show_bug.cgi?id=14
dtucker at zip.com.au changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #543 is|0 |1
obsolete| |
------- Additional Comments From dtucker at zip.com.au 2004-02-10 12:37 -------
Created an attachment (id=544)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=544&action=view)
Use do_pwchange for SSHv1 password change without privsep
> Could it be simplified by resetting authctxt->force_pwchange after
> do_pam_chauthtok()?
Yeah, much neater. Tidied up the extra debugs in auth-pam too.
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon at mindrot.org
2004-Feb-10 02:12 UTC
[Bug 14] Can't change expired /etc/shadow password without PAM
http://bugzilla.mindrot.org/show_bug.cgi?id=14
djm at mindrot.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #544| |ok
Status| |
------- Additional Comments From djm at mindrot.org 2004-02-10 13:12 -------
(From update of attachment 544)
fine by me
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon at mindrot.org
2004-Feb-10 02:27 UTC
[Bug 14] Can't change expired /etc/shadow password without PAM
http://bugzilla.mindrot.org/show_bug.cgi?id=14
dtucker at zip.com.au changed:
What |Removed |Added
----------------------------------------------------------------------------
BugsThisDependsOn|463 |
Status|ASSIGNED |RESOLVED
Resolution| |FIXED
------- Additional Comments From dtucker at zip.com.au 2004-02-10 13:27 -------
Patches 540, 541 & 544 applied. Yeehaa....
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.