openssh bugs - May 2004 - [Bug 869] Password expiration does not work for LDAP users

http://bugzilla.mindrot.org/show_bug.cgi?id=869

           Summary: Password expiration does not work for LDAP users
           Product: Portable OpenSSH
           Version: -current
          Platform: PPC
        OS/Version: AIX
            Status: NEW
          Severity: critical
          Priority: P2
         Component: Miscellaneous
        AssignedTo: openssh-bugs at mindrot.org
        ReportedBy: gokoyev at us.ibm.com


There appears to be a problem with SSH on AIX 5.1 on systems running secldap
client (secldapclntd): ssh ignores the maxage attribute specified for the
SYSTEM=LDAP users in the ldap directory.  Instead ssh is looking for the maxage
attribute in the /etc/security/user and the 'lastupdate' in the
/etc/security/passwd.  If the default stanza in the /etc/security/user does not
contain maxage the LDAP user never gets a prompt to change the expired password.
 If the default stanza does contain the maxage then the user always (even after
changing the password successfully) gets prompted to change the password (LDAP
users do not have stanzas in the /etc/security/passwd with the lastupdate
attribute).



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=869





------- Additional Comments From dtucker at zip.com.au  2004-05-18 09:17 -------
All sshd does is call the system-supplied functions (setauthdb, passwdexpired),
it doesn't go looking into /etc/security itself.  Does telnetd do what you
expect?



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=869





------- Additional Comments From vg at evasik.com  2004-05-18 13:21 -------
Thanks for fast response.  telnetd does prompt for password change.  I will test
passwdexpired function to see if it returns 0 as soon as I get back in the
office; it seems it's looking at wrong registry.  Also if set the UseLogin
to
yes sshd appears to work fine (I wonder if the 'login' uses
passwdexpired or
something else like loginrestrictions?). 



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=869

dtucker at zip.com.au changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED



------- Additional Comments From dtucker at zip.com.au  2004-05-18 13:37 -------
If you run the server in debug mode ("/path/to/sshd -ddd") you can see
what
arguments are given to setauthdb and what the results of passwdexpired are. 
Most of the AIX-specific code (including those bits) is in
openbsd-compat/port-aix.c.

Logging in via telnet is going to exec /usr/bin/login anyway, so it's not
surprising that sshd with UseLogin works.  What we need to figure out is what
login is does differently in this case...



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=869





------- Additional Comments From dtucker at zip.com.au  2004-05-18 14:08 -------
Oh, and please attach the debug output from the server to this bug (use
"Create
a New Attachment").



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=869





------- Additional Comments From gokoyev at us.ibm.com  2004-05-19 00:19 -------
Created an attachment (id=637)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=637&action=view)
Debug output from sshd -ddd

passwdexpired is returning 1 for a password that is only 4 days old; maxage set
to 13 weeks?!



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=869

dtucker at zip.com.au changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|                            |INVALID
            Version|-current                    |3.7.1p2



------- Additional Comments From dtucker at zip.com.au  2004-05-19 01:10
-------
>From the debugging:
debug1: match: OpenSSH_3.7.1p2-pwexp26_krb5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.7.1p2-pwexp26_krb5
debug1: Failed dlopen: /usr/krb5/lib/libkrb5.a(libkrb5.a.so): A file or
directory in the path name does not exist.

That looks like the IBM-supplied package (which is modified).  It's not the
software as supplied by the OpenSSH team.  (It's not the version you put in
the
bug report either).  You need to open a PMR against the IBM OpenSSH package. 
Feel free to reopen this bug if you can reproduce the error with the vanilla
3.8.1p1 source distribution.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=869





------- Additional Comments From gokoyev at us.ibm.com  2004-05-19 01:11 -------
Created an attachment (id=638)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=638&action=view)
test of passwdexpired() alone

the attached program returns this:

password not expired
passwdexpired() returened     0

if I set time forward 13 weeks it returnes this:

# /tmp/p     
password expired
passwdexpired() returened     1

Does this mean that aix_setauthdb is not setting the registry correctly?
regards Vasiliy



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=869

gokoyev at us.ibm.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |VERIFIED
            Version|3.7.1p2                     |-current



------- Additional Comments From gokoyev at us.ibm.com  2004-05-19 02:51 -------
Just recompiled 3.8.1p1 and the issue does not exist.  Thank you for your help.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.