First, my config: Solaris 8 PADL pam_ldap v165 and pam_nss v211 OpenSSH 3.7.1.p2 All compiled with gcc 2.95.3 that ships with the Sun companion CD LDAP PAM authentication is working well with OpenSSH, privsep is disabled, challenge-response authentication is enabled. I would like to turn on password aging, which seems to be well supported by pam_ldap. Logins going through /bin/login correctly display warnings and run through the password change when required. Pasword aging is not completely broken through OpenSSH, but not perfect either. Warnings are not displayed at all. Here is a transcript of an expired password session through login:>SunOS 5.8 > >login: sdr >Password: >You are required to change your LDAP password immediately. >Choose a new password. >Enter login(LDAP) password: >LDAP Password incorrect: try again >Enter login(LDAP) password: >New password: >Re-enter new password: >LDAP password information changed for sdr >No directory! Logging in with home=/ >Last login: Mon Dec 22 17:02:57 from someplace.somewhere >bash-2.03$and OpenSSH (Putty client) looks like this:>login as: sdr >Password: >Enter login(LDAP) password: >New password: >Re-enter new password: >LDAP password information changed for sdrLast login: Mon Dec 22 17:03:502003 from someplace.somewhere>Could not chdir to home directory /export/home/sdr: No such file ordirectory>bash-2.03$So the password change is being forced, but some of the prompts from pam_ldap are being lost. I'm not sure where to go from here, so any help or guidance is appreciated. Please keep me on the CC list as I am not subscribed to the list. Thank You, Steve Roylance
Roylance, Stephen D. wrote:> First, my config: > Solaris 8 > PADL pam_ldap v165 and pam_nss v211 > OpenSSH 3.7.1.p2 > All compiled with gcc 2.95.3 that ships with the Sun companion CD> I would like to turn on > password aging, which seems to be well supported by pam_ldap. Could you please try a snapshot[1]? There have been several PAM-related changes, including some code that does the changes via SSH2 keyboard-interactive that works with privsep on. [1] ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/snapshot/ or one of its mirrors listed at http://www.openssh.com/portable.html -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Both warnings and expiration messages work correctly with openssh-SNAP-20031221 and no other changes in my configuration. Will the next release have this code included? When is that planned? Thanks for your help, Stephen Roylance -----Original Message----- From: Darren Tucker [mailto:dtucker at zip.com.au] Sent: Monday, December 22, 2003 6:41 PM To: Roylance, Stephen D. Cc: 'openssh-unix-dev at mindrot.org' Subject: Re: OpenSSH + PADL pam_ldap.so + password aging Roylance, Stephen D. wrote:> First, my config: > Solaris 8 > PADL pam_ldap v165 and pam_nss v211 > OpenSSH 3.7.1.p2 > All compiled with gcc 2.95.3 that ships with the Sun companion CD> I would like to turn on > password aging, which seems to be well supported by pam_ldap. Could you please try a snapshot[1]? There have been several PAM-related changes, including some code that does the changes via SSH2 keyboard-interactive that works with privsep on. [1] ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/snapshot/ or one of its mirrors listed at http://www.openssh.com/portable.html -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.