Hi All.
I'm pleased to report that as of yesterday, OpenSSH -current now
supports forced changes of expired passwords on most platforms, and bug
#14 is now closed.
Specifically, AIX's native authentication, BSD Authentication and
shadow passwords with the expiry field are supported. The password is
changed by exec'ing /usr/bin/passwd in the session. Interested parties
should grab a snapshot and try it.
In addition, SSHv1 connections with UsePrivilegeSeparation=yes and
UsePAM=yes will use the same /usr/bin/passwd mechanism. Some time ago,
a patch to do SSHv2 password changes via keyboard-interactive was also
merged, and that should work with or without privsep.
For those who have been using my expiry patches, you should be aware
that there are some differences in behaviour between them and -current:
1) password expiry is only checked for password authentication
2) after a change (successful or otherwise), the session is terminated
and the user must log in again
3) AIX's loginsuccess() is not called for non-password authentications
4) There is no warning of pending account or password expirations for
shadow passwords.
5) Last login times won't be displayed when lastlog is readable only be
root.
Most of the other authentication-related fixes have been merged into
-current.
1) and 2) are how it will probably stay. 3) and 5) probably won't be
fixed until after the 3.8 release. I'm hoping to have 4) fixed in the
next couple of days (if anyone wants patches to test, let me know).
For those used to my patches, I will do one more series against 3.8x
with the same behaviour as present (including the not-yet-merged bits).
Once those bits are merged post-3.8, I don't plan on any further patches.
Thanks to all who contributed patches, fixes, bug reports and testing
of the patches during the last 18 months or so[1]. Not all of those
contributions ended up being used in the final solution but all were
valuable in shaping it.
Again, I encourage you to try a snapshot and report success or failure
(or queries) to the list.
-Daz.
[1] Pablo Sor, Mark Pitt, Zdenek Tlusty, Kevin Cawlfield, Dan Oviatt,
Ravinder Sekhon, Scott Burch and Andrew Elwell. Apologies to anyone I
missed.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
