openssh unix dev - Sep 2000 - [PATCH] Added features for AIX authentication

Please find attached a patch I put together to provide some useful extras
using
OpenSSH 2.2.0p1 under AIX.  I have been forced to write these to allow
OpenSSH to
conform to our local security policy and to aid our user administration
department.

Please note that in testing of this latest release we found "useLogin
yes"
to be
broken again.  Since login provides no extra functionality in this
environment we
have disabled it completely.  This change was omitted from this patch.

      - Prompts user to change expired password (regardless of
authentication
        method used, but only for interative sessions).  This enforces the
system's
        password policy.  E.g.

                $ ssh remotehost
                testing's New password:

                Your new password must have:
                        minimum of 1 alphabetic character
                        minimum of 1 non-alphabetic character
                        minimum of 3 characters not in old password
                        maximum of 2 repeated characters
                        minimum of 6 characters in length

                Your password failed to meet:
                        minimum of 1 alphabetic character
                        minimum of 1 non-alphabetic character
                        minimum of 6 characters in length

                user at remotehost's password:

                3004-610 You are required to change your password.
                Please choose a new one.

                user's New password:
                Re-enter user's new password:
                $

      - Reports why login is denied to users who have successfully
authenticated
        but cannot log in due to security restriction (locked account, no
rlogin,
        logintimes).  E.g.

                $ ssh remotehost
                Enter passphrase for RSA key 'user at localhost':
                Received disconnect: There have been too many unsuccessful
login
                        attempts; please see the system administrator.

                $ scp test remotehost:test
                testing at localhost's password:
                Received disconnect: You are not allowed to login at this
time.

                lost connection

      - Increments the failed login count with each failed authentication
attempt
        (to match AIX login's behaviour).  Previous behaviour was to
increment once
        after AUTH_FAIL_MAX attempts.  Our policy is 5 strikes -- the
previous
        behaviour gave 25.

I have tested these with the OpenSSH client and SecureCRT v3.1.  They don't
attempt
to extend the SSH protocols -- they work within established sessions.

     (See attached file: aix_changes.patch)

Best wishes,
--------------------------------------------------------
 Doug Manton, AT&T EMEA Firewall and Security Solutions

                   demanton at att.com
--------------------------------------------------------
"If privacy is outlawed, only outlaws will have privacy"
-------------- next part --------------
A non-text attachment was scrubbed...
Name: aix_changes.patch
Type: application/octet-stream
Size: 6073 bytes
Desc: not available
Url :
http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20000905/42015690/attachment.obj