openssh bugs - Jun 2006 - [Bug 1193] Open ssh will not allow changing of passwords on usernames greater than 8 characters.

http://bugzilla.mindrot.org/show_bug.cgi?id=1193

           Summary: Open ssh will not allow changing of passwords on
                    usernames greater than 8 characters.
           Product: Portable OpenSSH
           Version: 3.9p1
          Platform: Sparc
        OS/Version: Solaris
            Status: NEW
          Keywords: help-wanted
          Severity: major
          Priority: P2
         Component: ssh
        AssignedTo: bitbucket at mindrot.org
        ReportedBy: andrew.jones at phoenix.co.uk


Trying to run ssh 3.9p1 on Solaris 8 but when I try and change the
password on a username greater than 8 characters the following happens.

login as: abcdefghi
abcdefghi at chewbacca's password:
Last login: Wed Jun  7 13:52:28 2006 from it59114.corp.re
Sun Microsystems Inc.   SunOS 5.7       Generic
October 1998
WARNING: Your password has expired.
You must change your password now and login again!
passwd:  Changing password for abcdefgh
passwd(SYSTEM): abcdefgh does not exist
Permission denied




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=1193





------- Comment #1 from dtucker at zip.com.au  2006-06-09 01:12 -------
I believe this is a bug or limitation in Solaris' "passwd" command
(which is what sshd invokes under the covers in this situation) which
occurs when the username is more than 8 characters, and that if you run
"/bin/passwd abcdefghi" on the command line you will see the same
error.

I can suggest the following things to try:

1) Don't have usernames more than 8 characters long on Solaris (or at
least, that version), since it does not appear to be supported.

2) configure sshd to only allow authentication via challenge-response
authentication ("PasswordAuthentication no" and
"ChallengeResponseAuthentication yes") which will allow sshd to change
expired passwords by calling pam_chauthtok() directly (assuming this
works, I have not tried it under those conditions).  This is more
likely to work with the current OpenSSH version (4.3p2) than 3.9p1.

3) Configure sshd with UsePrivilegeSeparation=no.  This will mean that
sshd will have the privileges required to call pam_chauthtok() rather
than execute /bin/passwd.  (again, if it works as I've not tried it)

4) ask Sun to fix /bin/passwd to work properly with usernames longer
than 8 chars.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=1193





------- Comment #2 from dtucker at zip.com.au  2006-06-10 10:18 -------
According to Andrew, Sun has the following to say on the subject:

[quote]
The truncation of usernames to 8 characters is a known limitation.

Technically Solaris (2.5.1 - 10) doesn't officially support usernames 
longer than 8 characters (see useradd(1M), which warns you when
creating

a long username).  Solaris will run and allow logins with longer names 
however, several commands, like /bin/passwd, and other utilities are 
unable to handle them properly.

Many RFEs have been logged to get this changed, but they've all been 
closed in the past as "Will not fix" due to the requirement to keep 
inter-operability between the Solaris releases.

This point of view is being reviewed and an RFE for this is limitation 
is currently open (Bug/RFE: 4109819).

Until this is changed, the only way users with long usernames will be 
able to change their passwd is by explicitly calling /bin/passwd with 
the full username:

        $ /bin/passwd longusername
[/quote]

I suggest trying rebuilding OpenSSH with "./configure
--with-cflags=-DPASSWD_NEEDS_USERNAME" which will do what is described
above.

I'm not sure if it will have any other side effects though (on some
platforms that only works for root, and by the time sshd invokes passwd
it has already given up all of its privileges).




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=1193





------- Comment #3 from dtucker at zip.com.au  2006-06-23 21:36 -------
Created an attachment (id=1149)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1149&action=view)
Define PASSWD_NEEDS_USERNAME for Solaris

Brief experimentation indicates that this will work.  Is it worth
adding this as a workaround?




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=1193





------- Comment #4 from djm at mindrot.org  2006-06-23 23:04 -------
it looks sane, but will need testing across the solaris[-es/en] we
support




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=1193


dtucker at zip.com.au changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED




------- Comment #5 from dtucker at zip.com.au  2006-06-23 23:11 -------
(In reply to comment #4)
> it looks sane, but will need testing across the solaris[-es/en] we
> support
I can test 2.5.1, 8 and 9.  10 (and maybe opensolaris) would be
important to test but I'm less worried about the ones in the middle.

Note for anyone testing the patch: you will need to run "autoreconf"
from autoconf-2.59 to rebuild configure before reconfiguring and
building.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=1193


dtucker at zip.com.au changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
OtherBugsDependingO|                            |1155
              nThis|                            |
             Status|ASSIGNED                    |RESOLVED
         Resolution|                            |FIXED




------- Comment #6 from dtucker at zip.com.au  2006-06-24 12:11 -------
Tested OK on the systems I have access to.  Patch applied and will be
in OpenSSH 4.4.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.