Hello!
Today I've found, downloaded and compiled openssh-2.2.0-p1. It basically
worked, except that users
other than root were not allowed to login. My system is a Linux-2.4.0-test7 with
glibc-2.1.3. No PAM
is installed/used. It uses MD5 passwords and shadow with account expiration
feature.
In handling of the latter, a probable bug was found. In auth.c,
allowed_user(), there is a
code at the line 73, saying
...
/* Check password expiry */
if ((spw->sp_lstchg > 0) && (spw->sp_inact > 0) &&
(days > (spw->sp_lstchg + spw->sp_inact)))
return 0;
}
...
In my opinion, this is wrong. sp_inact tells how long the account may remain
inactive until it is
locked, measured from the last login time. It is set to 30 days for all users on
my system.
To add the date of last password change to this value is meaningless and this
test fails for all
my users.
On the other hand, there is a sp_max entry, stating maximum number of days
between password
changes. This is the right value for us. So I changed the code to be as follows:
/* Check password expiry */
if ((spw->sp_lstchg > 0) && (spw->sp_max > 0) &&
(days > (spw->sp_lstchg + spw->sp_max)))
return 0;
}
And from that, all works well and all users are correctly permitted to login.
I'm not sending a patch because I think it's more easy to edit the
source by hand than to apply
a patch on it, in that case.
With regards,
Pavel Troller