I have tried this patch (against 3.5p1) and would very much like it to be in the OpenSSH 3.6p1 release, if possible: http://bugzilla.mindrot.org/show_bug.cgi?id=14 On that note, I'd like the Sun BSM patch to be included also, if possible. I have it working applied to 3.5p1: http://bugzilla.mindrot.org/show_bug.cgi?id=125 In fact, both patches work together, apparently. If I have any issues, I'll post them here. Jeff Koenig>>> Darren Tucker <dtucker at zip.com.au> 03/07/03 12:55AM >>>Hi again. Ben Lindstrom wrote:> So if you have any patches you need to ensure your platform works speak > up. We are looking at a lock on the 17th.There's a couple of patches in Bugzilla that relate to my pet project: Bugzilla Bug 14: Can't change expired /etc/shadow password without PAM http://bugzilla.mindrot.org/attachment.cgi?id=240&action=view Bugzilla Bug 463: PrintLastLog doesn't work in privsep mode http://bugzilla.mindrot.org/attachment.cgi?id=235&action=view There is some overlap between the two patches and they're out of sync with each other. Can I please get someone to review these and let me know if they're suitable for inclusion in 3.6p1? The expiry patches have been pretty heavily tested (nearly 800 downloads of the patch). I've had about a dozen reports of problems, all of which have been resolved (mostly configuring with pam when it wasn't supported, a couple of genuine problems and a couple of cases of pilot error). If they are likely to go in, please let me know what you'd like done with them (eg, merge them into a single patch or make 2 "stacked" patches to be applied sequentially, and particularly what if anything should be done with the interaction with do_pam_chauthtok). -- Darren Tucker (dtucker at zip.com.au) GPG Fingerprint D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
I would like to see the expiry patch in as well. We use OpenSSH across a large corporation, with thousands of servers (Solaris, AIX, HP, etc) Our policies require password expiry... What's the point of SSH if you have to use telnet to change your password after it expires...? :-) Thanks for the consideration, Brian Hayward>I have tried this patch (against 3.5p1) and would very much like it to be in the OpenSSH 3.6p1 release, if possible: >http://bugzilla.mindrot.org/show_bug.cgi?id=14 > >On that note, I'd like the Sun BSM patch to be included also, if possible. I have it working applied to 3.5p1: >http://bugzilla.mindrot.org/show_bug.cgi?id=125 > >In fact, both patches work together, apparently. > >If I have any issues, I'll post them here. > >Jeff Koenig > >>>> Darren Tucker <dtucker at zip.com.au> 03/07/03 12:55AM >>> >Hi again. > >Ben Lindstrom wrote: >> So if you have any patches you need to ensure your platform works speak >> up. We are looking at a lock on the 17th. > >There's a couple of patches in Bugzilla that relate to my pet project: > >Bugzilla Bug 14: Can't change expired /etc/shadow password without PAM >http://bugzilla.mindrot.org/attachment.cgi?id=240&action=view > >Bugzilla Bug 463: PrintLastLog doesn't work in privsep mode >http://bugzilla.mindrot.org/attachment.cgi?id=235&action=view > >There is some overlap between the two patches and they're out of sync >with each other. > >Can I please get someone to review these and let me know if they're >suitable for inclusion in 3.6p1? The expiry patches have been pretty >heavily tested (nearly 800 downloads of the patch). I've had about a >dozen reports of problems, all of which have been resolved (mostly >configuring with pam when it wasn't supported, a couple of genuine >problems and a couple of cases of pilot error). > >If they are likely to go in, please let me know what you'd like done >with them (eg, merge them into a single patch or make 2 "stacked" >patches to be applied sequentially, and particularly what if anything >should be done with the interaction with do_pam_chauthtok). > >-- Brian Hayward
Jeff Koenig wrote:> I have tried this patch (against 3.5p1) and would very much like it to be in the OpenSSH 3.6p1 release, if possible: > http://bugzilla.mindrot.org/show_bug.cgi?id=14 > > On that note, I'd like the Sun BSM patch to be included also, if possible. I have it working applied to 3.5p1: > http://bugzilla.mindrot.org/show_bug.cgi?id=125 > > In fact, both patches work together, apparently.These won't be in the 3.6p1 release. The password expiry issue will be one of the foci of the next release cycle. I haven't yet looked into the BSM patch.> Bugzilla Bug 463: PrintLastLog doesn't work in privsep mode > http://bugzilla.mindrot.org/attachment.cgi?id=235&action=viewThis will be looked at too. This issue exists in the OpenBSD version too, so it needs to be fixed at the source. -d
Why are password expiring and BSM support not in the code by now? People have been talking about these since before 3.5p1? At least, can't they be added and just not on by default? Like having a --password_expire and --bsm_support or something? I don't understand why password expiry and BSM auditing support are not a higher priority. I would think a lot of companies are required to use these features. Is the patch code just not tested enough or something? I'm just a little frustrated. Anyway, thanks for all the work you guys have done so far, by the way. Jeff>>> Ben Lindstrom <mouring at etoh.eviladmin.org> 03/19/03 09:46PM >>>That's nice.. problem is when we normally call for testing.. It means NO NEW FEATURES. As in *RELEASE SOON*... Sorry folks.. These won't be in 3.6. - Ben On Wed, 19 Mar 2003 hayward at slothmud.org wrote:> > I would like to see the expiry patch in as well. We use OpenSSH across a > large corporation, with thousands of servers (Solaris, AIX, HP, etc) Our > policies require password expiry... What's the point of SSH if you have > to use telnet to change your password after it expires...? :-) > > Thanks for the consideration, > Brian Hayward > > > >I have tried this patch (against 3.5p1) and would very much like it to be in the OpenSSH 3.6p1 release, if possible: > >http://bugzilla.mindrot.org/show_bug.cgi?id=14 > > > >On that note, I'd like the Sun BSM patch to be included also, if possible. I have it working applied to 3.5p1: > >http://bugzilla.mindrot.org/show_bug.cgi?id=125 > > > >In fact, both patches work together, apparently. > > > >If I have any issues, I'll post them here. > > > >Jeff Koenig > > > >>>> Darren Tucker <dtucker at zip.com.au> 03/07/03 12:55AM >>> > >Hi again. > > > >Ben Lindstrom wrote: > >> So if you have any patches you need to ensure your platform works speak > >> up. We are looking at a lock on the 17th. > > > >There's a couple of patches in Bugzilla that relate to my pet project: > > > >Bugzilla Bug 14: Can't change expired /etc/shadow password without PAM > >http://bugzilla.mindrot.org/attachment.cgi?id=240&action=view > > > >Bugzilla Bug 463: PrintLastLog doesn't work in privsep mode > >http://bugzilla.mindrot.org/attachment.cgi?id=235&action=view > > > >There is some overlap between the two patches and they're out of sync > >with each other. > > > >Can I please get someone to review these and let me know if they're > >suitable for inclusion in 3.6p1? The expiry patches have been pretty > >heavily tested (nearly 800 downloads of the patch). I've had about a > >dozen reports of problems, all of which have been resolved (mostly > >configuring with pam when it wasn't supported, a couple of genuine > >problems and a couple of cases of pilot error). > > > >If they are likely to go in, please let me know what you'd like done > >with them (eg, merge them into a single patch or make 2 "stacked" > >patches to be applied sequentially, and particularly what if anything > >should be done with the interaction with do_pam_chauthtok). > > > > > > -- > Brian Hayward >_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
> Bugzilla Bug 14: Can't change expired /etc/shadow password without PAM > http://bugzilla.mindrot.org/attachment.cgi?id=240&action=view > > Bugzilla Bug 463: PrintLastLog doesn't work in privsep mode > http://bugzilla.mindrot.org/attachment.cgi?id=235&action=view > > There is some overlap between the two patches and they're out of sync > with each other. Can I please get someone to review these and let me > know if they're suitable for inclusion in 3.6p1? The expiry patches have > been pretty heavily tested (nearly 800 downloads of the patch). I've had > about a dozen reports of problems, all of which have been resolved (mostly > configuring with pam when it wasn't supported, a couple of genuine > problems and a couple of cases of pilot error).Here are my observations about the latest version of the patch (passexpire18). Platform : Solaris 8 Auth Type : PAM PAM Module : Cusack pam_krb5 (v1.0) Kerberos Ver : MIT 1.2.6 - Without privsep o PASSWD_PROGRAM_PATH defined as "kpasswd": - the PAM module doesn't appear to create the ccache before kpasswd is called, and kpasswd requires a valid ccache to change passwords o PASSWD_PROGRAM_PATH defined as "kinit": - the program is called successfully, but requires the user to enter Old PW New PW New PW even though the user already logged in with "Old PW" - With privsep o default: - sshd returns "Password changing is currently unsupported with privilege separation" o with this commented out in do_pam_chauthtok(), thereby calling pam_chauthtok() --------- if (password_change_required) { #if 0 if (use_privsep) fatal("Password changing is currently unsupported" " with privilege separation"); #endif pamstate = OTHER; pam_retval = pam_chauthtok(__pamh, PAM_CHANGE_EXPIRED_AUTHTOK); --------- - sshd successfully changes the password, although it exits immediately afterward I can do more testing if anyone's interested. FYI. ---------------------------------------------------------------------- | Jim Hranicky, Senior SysAdmin UF/CISE Department | | E314D CSE Building Phone (352) 392-1499 | | jfh at cise.ufl.edu http://www.cise.ufl.edu/~jfh | ---------------------------------------------------------------------- "Given a choice between a complex, difficult-to-understand, disconcerting explanation and a simplistic, comforting one, many prefer simplistic comfort if it's remotely plausible, especially if it involves blaming someone else for their problems." -- Bob Lewis, _Infoworld_