openssh unix dev - Jun 2018 - Connection terminates just after changing the password for user whose password was expired.

Hi ,

I am using OpenSSH7.5 on AIX platform and I was testing the same against
the user's password expired functionality.
Normally when password is expired and if I do telnet , it will prompt for
password change and at the same time user will allowed to logged in
successfully.
But when I try the same with ssh, it prompts me for password change and
after changing the password, the connection terminates.

Recreation steps -
-------------------------
1. Create any user and set the password of that user with root user.
2. Run the following command ssh user at localhost
3. It will prompt for password. Give password appropriately.
4. You will see connection will terminate just after giving the password as
shown below -

# ssh tstuser at localhost
tstuser at localhost's password:
[compat]: 3004-610 You are required to change your password.
        Please choose a new one.
************************************************************
*******************
*
   *
*
   *
*  Welcome to AIX Version 7.1!
  *
*
   *
*
   *
*  Please see the README file in /usr/lpp/bos for information pertinent to
  *
*  this release of the AIX Operating System.
  *
*
   *
*
   *
************************************************************
*******************
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for "tstuser"
tstuser's Old password:
tstuser's New password:
Enter the new password again:
Connection to localhost closed.



I went through the source code and what I came to know that in file
"session.c" , there is function "do_pwchange", which
includes "exit(1)"
just after the password change.


static void
do_pwchange(Session *s)
{
fflush(NULL);
fprintf(stderr, "WARNING: Your password has expired.\n");
if (s->ttyfd != -1) {
fprintf(stderr,
    "You must change your password now and login again!\n");
#ifdef WITH_SELINUX
setexeccon(NULL);
#endif
#ifdef PASSWD_NEEDS_USERNAME
execl(_PATH_PASSWD_PROG, "passwd", s->pw->pw_name,
    (char *)NULL);
#else
execl(_PATH_PASSWD_PROG, "passwd", (char *)NULL);
#endif
perror("passwd");
} else {
fprintf(stderr,
    "Password change required but no TTY available.\n");
}
exit(1);
}



Therefore, I want to know why "exit(1)" is placed just after password
change and why user is not allowed to logged in at the same time when he
changed the password .

-- 
*Thanks & Regards :*
*Mayank Sharma *

Hi All,

Is anyone aware of this behavior ?

On Fri, Jun 15, 2018 at 3:55 PM, MAYANK SHARMA <mayank.fit2010 at
gmail.com>
wrote:
> Hi ,
>
> I am using OpenSSH7.5 on AIX platform and I was testing the same against
> the user's password expired functionality.
> Normally when password is expired and if I do telnet , it will prompt for
> password change and at the same time user will allowed to logged in
> successfully.
> But when I try the same with ssh, it prompts me for password change and
> after changing the password, the connection terminates.
>
> Recreation steps -
> -------------------------
> 1. Create any user and set the password of that user with root user.
> 2. Run the following command ssh user at localhost
> 3. It will prompt for password. Give password appropriately.
> 4. You will see connection will terminate just after giving the password
> as shown below -
>
> # ssh tstuser at localhost
> tstuser at localhost's password:
> [compat]: 3004-610 You are required to change your password.
>         Please choose a new one.
> ************************************************************
> *******************
> *
>    *
> *
>    *
> *  Welcome to AIX Version 7.1!
>     *
> *
>    *
> *
>    *
> *  Please see the README file in /usr/lpp/bos for information pertinent
> to    *
> *  this release of the AIX Operating System.
>     *
> *
>    *
> *
>    *
> ************************************************************
> *******************
> WARNING: Your password has expired.
> You must change your password now and login again!
> Changing password for "tstuser"
> tstuser's Old password:
> tstuser's New password:
> Enter the new password again:
> Connection to localhost closed.
>
>
>
> I went through the source code and what I came to know that in file
> "session.c" , there is function "do_pwchange", which
includes "exit(1)"
> just after the password change.
>
>
> static void
> do_pwchange(Session *s)
> {
> fflush(NULL);
> fprintf(stderr, "WARNING: Your password has expired.\n");
> if (s->ttyfd != -1) {
> fprintf(stderr,
>     "You must change your password now and login again!\n");
> #ifdef WITH_SELINUX
> setexeccon(NULL);
> #endif
> #ifdef PASSWD_NEEDS_USERNAME
> execl(_PATH_PASSWD_PROG, "passwd", s->pw->pw_name,
>     (char *)NULL);
> #else
> execl(_PATH_PASSWD_PROG, "passwd", (char *)NULL);
> #endif
> perror("passwd");
> } else {
> fprintf(stderr,
>     "Password change required but no TTY available.\n");
> }
> exit(1);
> }
>
>
>
> Therefore, I want to know why "exit(1)" is placed just after
password
> change and why user is not allowed to logged in at the same time when he
> changed the password .
>
> --
> *Thanks & Regards :*
> *Mayank Sharma *
>


-- 
*Thanks & Regards :*
*Mayank Sharma *

Hi All,

Do anyone have any update/conclusion ?

On Fri, Jun 15, 2018 at 3:55 PM, MAYANK SHARMA <mayank.fit2010 at
gmail.com>
wrote:
> Hi ,
>
> I am using OpenSSH7.5 on AIX platform and I was testing the same against
> the user's password expired functionality.
> Normally when password is expired and if I do telnet , it will prompt for
> password change and at the same time user will allowed to logged in
> successfully.
> But when I try the same with ssh, it prompts me for password change and
> after changing the password, the connection terminates.
>
> Recreation steps -
> -------------------------
> 1. Create any user and set the password of that user with root user.
> 2. Run the following command ssh user at localhost
> 3. It will prompt for password. Give password appropriately.
> 4. You will see connection will terminate just after giving the password
> as shown below -
>
> # ssh tstuser at localhost
> tstuser at localhost's password:
> [compat]: 3004-610 You are required to change your password.
>         Please choose a new one.
> ************************************************************
> *******************
> *
>    *
> *
>    *
> *  Welcome to AIX Version 7.1!
>     *
> *
>    *
> *
>    *
> *  Please see the README file in /usr/lpp/bos for information pertinent
> to    *
> *  this release of the AIX Operating System.
>     *
> *
>    *
> *
>    *
> ************************************************************
> *******************
> WARNING: Your password has expired.
> You must change your password now and login again!
> Changing password for "tstuser"
> tstuser's Old password:
> tstuser's New password:
> Enter the new password again:
> Connection to localhost closed.
>
>
>
> I went through the source code and what I came to know that in file
> "session.c" , there is function "do_pwchange", which
includes "exit(1)"
> just after the password change.
>
>
> static void
> do_pwchange(Session *s)
> {
> fflush(NULL);
> fprintf(stderr, "WARNING: Your password has expired.\n");
> if (s->ttyfd != -1) {
> fprintf(stderr,
>     "You must change your password now and login again!\n");
> #ifdef WITH_SELINUX
> setexeccon(NULL);
> #endif
> #ifdef PASSWD_NEEDS_USERNAME
> execl(_PATH_PASSWD_PROG, "passwd", s->pw->pw_name,
>     (char *)NULL);
> #else
> execl(_PATH_PASSWD_PROG, "passwd", (char *)NULL);
> #endif
> perror("passwd");
> } else {
> fprintf(stderr,
>     "Password change required but no TTY available.\n");
> }
> exit(1);
> }
>
>
>
> Therefore, I want to know why "exit(1)" is placed just after
password
> change and why user is not allowed to logged in at the same time when he
> changed the password .
>
> --
> *Thanks & Regards :*
> *Mayank Sharma *
>


-- 
*Thanks & Regards :*
*Mayank Sharma *

On 26 June 2018 at 16:54, MAYANK SHARMA <mayank.fit2010 at gmail.com>
wrote:
> Hi All,
>
> Do anyone have any update/conclusion ?
It's deliberate.  sshd disables some functionality when it detects an
expired password (eg port forwarding) and it's difficult to reliably
detect whether or not a password was successfully changed (there is no
standardization around exit values of passwd, for example).  Requiring
the user to log in again is the simplest way to sure all of the checks
are run again.

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.