Are there plans, or does someone have a fix, for having openssh force users to change passwords when they're expired? Right now the program closes the connection....the commercial ssh manages to exec /bin/passwd after they enter their current password. Any ideas?
> Are there plans, or does someone have a fix, for having openssh force > users to change passwords when they're expired? > > Right now the program closes the connection....the commercial ssh > manages to exec /bin/passwd after they enter their current password. > > Any ideas?Hmm, does PAM send back a special message when the password needs to be changed? I could envision changing the user shell to /bin/passwd if PAM complains... --Dan
On Thu, 1 Mar 2001, Kevin Taylor wrote: : Are there plans, or does someone have a fix, for having openssh force : users to change passwords when they're expired? : : Right now the program closes the connection....the commercial ssh : manages to exec /bin/passwd after they enter their current password. there is only support thru PAM right now. i had started a multi-platform password interface last year, and while it was close to the point of being integrated, i have been side-tracked with stuff that was more interesting to work on. adding just code to run passwd if the password has expired isn't hard, and maybe we should do that.
On Thu, 1 Mar 2001, Dan Kaminsky wrote:>>> Are there plans, or does someone have a fix, for having openssh force >>> users to change passwords when they're expired? >>> >>> Right now the program closes the connection....the commercial ssh >>> manages to exec /bin/passwd after they enter their current password. >>> >>> Any ideas? >> >> Hmm, does PAM send back a special message when the password needs to >> be changed? >> >> I could envision changing the user shell to /bin/passwd if PAM >> complains...>It works for PAM now, but not for non-PAM.>-dThat's what Kevin Steves was saying. Hopefully the code he was working on for the password interface for other systems will be implemented soon. -- ---------------------------------------------------------. Kevin Taylor \ Systems Administrator - DAAC, Code 902, Bldg 32, Rm N126A / Science Systems and Applications, Inc. \ Goddard Space Flight Center / Greenbelt, MD 20771 \ / Phone: (301) 614-5505 \ e-mail: ktaylor at daac.gsfc.nasa.gov / ----------------------------------------------------------'
>> there is only support thru PAM right now. i had started a >> multi-platform password interface last year, and while it was close to >> the point of being integrated, i have been side-tracked with stuff that >> was more interesting to work on. adding just code to run passwd if the >> password has expired isn't hard, and maybe we should do that. > > >Has any of this ended up in the current openssh portable code?Forgive me if I'm repeating something since I missed the beginning of this thread. Without using PAM how do you intend to find out that the password has actually expired ? Without reinventing what pam_acct_mgmt() does ? -- Darren J Moffat
Another platform I'd like to see this for is Solaris... Enough people run it and have expiring passwords that it is probably worth it. Of course, once we see the IRIX code, it wouldn't be that hard to port it to Solaris. (At least from what I can tell...) --Matt> -----Original Message----- > From: Kevin Steves [mailto:stevesk at sweden.hp.com] > Sent: Wednesday, March 28, 2001 1:03 AM > To: Kevin Taylor > Cc: openssh > Subject: Re: Expired password handling in openssh-2.5.1p1/2 > > > On Tue, 27 Mar 2001, Kevin Taylor wrote: > : > : Right now the program closes the connection....the > commercial ssh > : > : manages to exec /bin/passwd after they enter their > current password. > : > > : > there is only support thru PAM right now. i had started a > : > multi-platform password interface last year, and while it > was close to > : > the point of being integrated, i have been side-tracked > with stuff that > : > was more interesting to work on. adding just code to run > passwd if the > : > password has expired isn't hard, and maybe we should do that. > : > : > : Has any of this ended up in the current openssh portable code? > > no, what platform are you using? i should have said adding > code to run > passwd for one platform isn't hard. you have getspent(), > getprpwent(), > BSD pw_change, some with password aging data in the password > field, and > getpwaent() systems, and probably more. i'll think about it > some more. >