bugzilla-daemon at mindrot.org
2004-Apr-21 04:28 UTC
[Bug 848] OpenSSH_3.8.1p1 - passwd -f does not work
http://bugzilla.mindrot.org/show_bug.cgi?id=848
Summary: OpenSSH_3.8.1p1 - passwd -f does not work
Product: Portable OpenSSH
Version: 3.8p1
Platform: HPPA
OS/Version: HP-UX
Status: NEW
Severity: major
Priority: P2
Component: ssh
AssignedTo: openssh-bugs at mindrot.org
ReportedBy: selvesteen at netscape.net
sshd skips passwd -f <username> password expiry when runs with
"UsePAM no"
option.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-Apr-21 04:31 UTC
[Bug 848] OpenSSH_3.8.1p1 - passwd -f does not work
http://bugzilla.mindrot.org/show_bug.cgi?id=848 ------- Additional Comments From selvesteen at netscape.net 2004-04-21 14:31 ------- Created an attachment (id=609) --> (http://bugzilla.mindrot.org/attachment.cgi?id=609&action=view) server-log ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-Apr-21 04:33 UTC
[Bug 848] OpenSSH_3.8.1p1 - passwd -f does not work
http://bugzilla.mindrot.org/show_bug.cgi?id=848 ------- Additional Comments From selvesteen at netscape.net 2004-04-21 14:33 ------- Created an attachment (id=610) --> (http://bugzilla.mindrot.org/attachment.cgi?id=610&action=view) Client_log sshd skips passwd change while Telnet prompts for a password change ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-Apr-21 04:59 UTC
[Bug 848] OpenSSH_3.8.1p1 - passwd -f does not work
http://bugzilla.mindrot.org/show_bug.cgi?id=848 ------- Additional Comments From dtucker at zip.com.au 2004-04-21 14:59 ------- (From update of attachment 609) [snip]>debug3: mm_request_receive entering >debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss >Failed publickey for mid from 127.0.0.1 port 49365 ssh2The server log appears incomplete, there should be a section that looks like: debug3: monitor_read: checking request 10 debug3: auth_shadow_pwexpired: today 12529 sp_lstchg 12407 sp_max 99999 Could you please attach that. Also, what are the shadow settings in config.h? Do "grep SHADOW config.h" after running configure. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-Apr-21 05:00 UTC
[Bug 848] OpenSSH_3.8.1p1 - passwd -f does not work
http://bugzilla.mindrot.org/show_bug.cgi?id=848
dtucker at zip.com.au changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
Version|3.8p1 |3.8.1p1
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-Apr-21 09:50 UTC
[Bug 848] OpenSSH_3.8.1p1 - passwd -f does not work
http://bugzilla.mindrot.org/show_bug.cgi?id=848
selvesteen at netscape.net changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #609 is|0 |1
obsolete| |
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-Apr-21 09:53 UTC
[Bug 848] OpenSSH_3.8.1p1 - passwd -f does not work
http://bugzilla.mindrot.org/show_bug.cgi?id=848 ------- Additional Comments From selvesteen at netscape.net 2004-04-21 19:53 ------- Created an attachment (id=611) --> (http://bugzilla.mindrot.org/attachment.cgi?id=611&action=view) serverlog_shadow_installed server-log with following options 1.shadow password installed 2.usepam no ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-Apr-21 09:55 UTC
[Bug 848] OpenSSH_3.8.1p1 - passwd -f does not work
http://bugzilla.mindrot.org/show_bug.cgi?id=848 ------- Additional Comments From selvesteen at netscape.net 2004-04-21 19:55 ------- Created an attachment (id=612) --> (http://bugzilla.mindrot.org/attachment.cgi?id=612&action=view) serverlog_noshadow_usepamno server log with following options 1. No shadow passwords in system 2. usepam no ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-Apr-21 09:56 UTC
[Bug 848] OpenSSH_3.8.1p1 - passwd -f does not work
http://bugzilla.mindrot.org/show_bug.cgi?id=848 ------- Additional Comments From selvesteen at netscape.net 2004-04-21 19:56 ------- Created an attachment (id=613) --> (http://bugzilla.mindrot.org/attachment.cgi?id=613&action=view) serverlog_noshadow_usepamyes server-log with following options 1.No shadow passwords 2.UsePAM yes ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-Apr-21 11:21 UTC
[Bug 848] OpenSSH_3.8.1p1 - passwd -f does not work
http://bugzilla.mindrot.org/show_bug.cgi?id=848 ------- Additional Comments From binder at arago.de 2004-04-21 21:21 ------- Michael, do you use password login? It seems with UsePAM=no, the password expiry code is only used for password logins, but not when using for example public key logins. At least, I only find one call to auth_shadow_pwexpired, which is in auth-passwd.c ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-Apr-21 11:56 UTC
[Bug 848] OpenSSH_3.8.1p1 - passwd -f does not work
http://bugzilla.mindrot.org/show_bug.cgi?id=848 ------- Additional Comments From kumaresh_ind at gmx.net 2004-04-21 21:56 ------- Yes. It has been mentioned that the authentication used was password authentication. In sshd_config, the configurations are: UsePAM no ChallengeResponseAuthentication no PasswordAuthentication yes A member in the passwd structure in HP-UX decides the password aging and it is "char pw_age". [try "man 4 passwd" on HP-UX systems for details]. This is applicable for /etc/passwd file only. ssh code properly checks for the expired passwords with shadow passwords, with the field "spw->sp_expire" [function "auth_shadow_acctexpired()" in auth- shadow.c]. Thats why it works with Shadow passwords. So, IMHO, there has to be a check for the "pw_age" member when sshd is configured with "UsePAM no" and if the system do not have shadow support, as this case use /etc/passwd file. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2004-Apr-21 12:09 UTC
[Bug 848] OpenSSH_3.8.1p1 - passwd -f does not work
http://bugzilla.mindrot.org/show_bug.cgi?id=848 ------- Additional Comments From dtucker at zip.com.au 2004-04-21 22:09 ------- Created an attachment (id=615) --> (http://bugzilla.mindrot.org/attachment.cgi?id=615&action=view) Add debug for pw_age That seems pretty much right, the only wrinkle is that "passwd -f" does not seem to set pw_age: debug1: passwd gNrjkysyT2/LM pw_age while /etc/passwd looks like this: testuser:gNrjkysyT2/LM,..:203[...] ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.