Currently, OpenSSH prints the message:
"Warning: You password has expired, please change it now"
if the password has expired. It would be nice if the user could/had to
change password before continuing, like with Linux console login. I've
tried to make an patch, but it doesn't work. Ideas?
--- auth-pam.c.org Wed Oct 11 18:03:43 2000
+++ auth-pam.c Wed Oct 11 18:03:44 2000
@@ -36,9 +36,6 @@
RCSID("$Id: auth-pam.c,v 1.12 2000/08/29 22:57:50 djm Exp $");
-#define NEW_AUTHTOK_MSG \
- "Warning: You password has expired, please change it now"
-
/* Callbacks */
static int pamconv(int num_msg, const struct pam_message **msg,
struct pam_response **resp, void *appdata_ptr);
@@ -175,11 +172,17 @@
pam_retval = pam_acct_mgmt((pam_handle_t *)pamh, 0);
switch (pam_retval) {
- case PAM_SUCCESS:
+ case PAM_SUCCESS:
/* This is what we want */
break;
- case PAM_NEW_AUTHTOK_REQD:
- pam_msg_cat(NEW_AUTHTOK_MSG);
+ case PAM_AUTHTOK_EXPIRED:
+ case PAM_NEW_AUTHTOK_REQD:
+ pam_retval = pam_chauthtok((pam_handle_t *)pamh,
PAM_CHANGE_EXPIRED_
AUTHTOK);
+ if (pam_retval != PAM_SUCCESS) {
+ log("PAM change authtoken failed:
%.200s",
+ PAM_STRERROR((pam_handle_t *)pamh,
pam_retval));
+ return(0);
+ }
break;
default:
log("PAM rejected by account
configuration: %.200s",
--
/Peter ?strand <altic at lysator.liu.se>
On Wed, 11 Oct 2000, Peter Astrand wrote:
: Currently, OpenSSH prints the message:
:
: "Warning: You password has expired, please change it now"
:
: if the password has expired. It would be nice if the user could/had to
: change password before continuing, like with Linux console login. I've
: tried to make an patch, but it doesn't work. Ideas?
Can you try the latest snapshot? There was a patch that went in
post-2.2.0p1 to add support for this.
btw, what messages do other PAM implementations add when a password
expires? Below is HP-UX 11.0 (with an unreleased libpam patch to get it
working). As you see PAM adds "Your password has expired.", which
makes
the message ssh adds somewhat redundant. What about "Please change your
password now." for NEW_AUTHTOK_MSG?
[stevesk at jenny stevesk]$ ssh -p24 robinson
Last successful login for stevesk: Sat Oct 14 14:11:52 MET-1METDST 2000 on pts
/4
Last unsuccessful login for stevesk: Sat Oct 14 13:15:33 MET-1METDST 2000 on pts
/ta
Your password has expired.
Warning: Your password has expired, please change it now
Changing password for stevesk
Old password:
Last successful password change for stevesk: NEVER
Last unsuccessful password change for stevesk: Sat Oct 14 13:14:34 2000
Do you want (choose one letter only):
pronounceable passwords generated for you (g)
a string of letters generated (l) ?
to pick your passwords (p) ?
Enter choice here: p
New password:
Re-enter new password:
Passwd successfully changed
Last login: Sat Oct 14 14:11:52 2000 from jenny.foo