Hello, There has been an annoyance with OpenSSH that has been bugging me lately. It pays no attention to pw_change and pw_expire fields from the passwd file for users by default. Thus even if the admin has set a user's account to expire 5 days ago they can still login. So one might say, just add 'UseLogin yes' and all of your problems will be solved. This of course is not a good answer, because as has been noted recently on the list and is mentioned in the man page, UseLogin does not affect remote command execution, thus people can still use scp, sftp or just execute random shell commands. It would be simplistic to regain access to one's account, even if it was expired and UseLogin set to yes IMO. A few remote commands and you could upload an alternate way of logging in with an interactive account. This defeats the entire purpose of account & password expiration IMO and should be fixed immediately. Since no one else has seemed concerned about this when I posted it on the OpenBSD mailing lists I have written a patch to attempt to address the problem myself. This has already been submitted to bugs at openbsd several days ago, but met no response, thus I'm submitting it here as well (probably proper procedure in the first place). Patch is available at: http://www.cerias.purdue.edu/homes/rajak/openbsd/patch_exp-support The changes are minor, should not add any significant overhead and seem to be the right thing to do in any case. I would personally like to see a sshd config option that allowed customizable warning times, which I added in session.c (very similar to how login does it) with a -fixed- time (1 week), but I do not want to waste more time writing patches if they are just going to be ignored. Looking forward to some response/feedback, -b
On Sat, Jun 02, 2001 at 10:19:19PM -0500, Brian Poole wrote:> Since no one else has seemed concerned about this when I posted it on > the OpenBSD mailing listsi wrote: % On Mon, May 14, 2001 at 03:20:57PM -0500, Brian Poole wrote: % > My problem is this, OpenSSH does not respect account nor password % > expirations by default (by respect I mean it totally ignores them, % > it doesn't matter if they are set and have expired). Why? % > % > [...] % > % > This entire bit probably applies to rsh/rlogin as well, but I'm not % > nearly as concerned about it as it isn't on by default nor used by % > myself. % % both openssh and rlogin ignore this, so this suggests % the the operating system does not support this feature % at all. % % however, in the future openbsd will move to BSD_AUTH, so % perhaps this feature will be supported on openbsd. and indeed, this is handled by auth_approval in session.c if BSD_AUTH is defined. -m
Blarg, this should have gone to the list, not to Markus direct. ----- Forwarded message from Brian Poole <raj at basm.cerias.purdue.edu> ----- Date: Sun, 3 Jun 2001 14:40:22 -0500 From: Brian Poole <raj at basm.cerias.purdue.edu> To: Markus Friedl <markus.friedl at informatik.uni-erlangen.de> Subject: Re: Handling of password & account expirations Quoting Markus Friedl (markus.friedl at informatik.uni-erlangen.de) from 3 June 2001:> % however, in the future openbsd will move to BSD_AUTH, so > % perhaps this feature will be supported on openbsd. > > and indeed, this is handled by auth_approval in session.c > if BSD_AUTH is defined.Sorry, it seemed a little nebulous of a response. You did reply though and I'll apologize for saying that no one had replied. I've personally been unable to find more information on BSD_AUTH so I can't say I'm well educated on how it works. I'm very glad that it closes this door on OpenBSD. While this no longer applies to OpenBSD now that we have moved to BSD_AUTH I believe this is still an issue with OpenSSH in the portable release, correct? We can't expect {Linux,Solaris,<foobar-os>} to have BSD_AUTH can we? Your response is appreciated, -b ----- End forwarded message -----
>While this no longer applies to OpenBSD now that we have moved to BSD_AUTH I >believe this is still an issue with OpenSSH in the portable release, correct? >We can't expect {Linux,Solaris,<foobar-os>} to have BSD_AUTH can we?It shouldn't be an issue on those systems since OpenSSH (unlike the SSH Communications Inc) properly calls pam_acct_mgmt() regardless of which type of authentication was used. On Linux and Solaris the password aging is enforced in a PAM module so the correct thing happens on these systems when the portable release is compiled with PAM support. -- Darren J Moffat