Ed Phillips
2001-Nov-08 19:27 UTC
sshd can't change expired password on Sol8 with Openssh3.0p1 + PAM
The reason I ask about the patches is because I think the problem you're seeing might actually be a bug in pam_unix.so.1 - it's something to try at least. We don't use password aging and we don't use the "passwd" command to change passwords, so we haven't run into this at our site even though we probably don't have pam_unix.so patched up. Also, the passwd command doesn't even work if you have something besides "files", "nis" or "nis+" in the passwd line of /etc/nsswitch.conf (which we do). Ed Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082 Systems Programmer III, Network and Systems Services finger -l ed at polycut.nss.udel.edu for PGP public key
Ed Phillips
2001-Nov-08 19:36 UTC
sshd can't change expired password on Sol8 with Openssh3.0p1 + PAM
Better Idea Alert! Try patch 111659-02 and you don't have to wait for 3 hours (right now) while the Recommended Patch Set installs. Chances are, if there is a problem with pam_unix, this patch fixes it. The buglist for this patch includes the following: 4112707 Password expiration (passwd -f) doesn't work correctly Also, if "passwd -f" is really the culprit (puts something in /etc/shadow that pam_unix.so doesn't like), you can try editing /etc/shadow by hand and make the entry look like: user:<encpw>:1:1:1:::: Hope this is helps... Ed On Thu, 8 Nov 2001, Ed Phillips wrote:> Date: Thu, 8 Nov 2001 14:26:54 -0500 (EST) > From: Ed Phillips <ed at udel.edu> > To: "Dost, Alexander" <Alexander.Dost at drkw.com> > Cc: openssh-unix-dev at udel.edu > Subject: RE: sshd can't change expired password on Sol8 with Openssh3.0p1 > + PAM > > The reason I ask about the patches is because I think the problem you're > seeing might actually be a bug in pam_unix.so.1 - it's something to try at > least. We don't use password aging and we don't use the "passwd" command > to change passwords, so we haven't run into this at our site even though > we probably don't have pam_unix.so patched up. Also, the passwd command > doesn't even work if you have something besides "files", "nis" or "nis+" > in the passwd line of /etc/nsswitch.conf (which we do). > > Ed > > Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082 > Systems Programmer III, Network and Systems Services > finger -l ed at polycut.nss.udel.edu for PGP public key > >Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082 Systems Programmer III, Network and Systems Services finger -l ed at polycut.nss.udel.edu for PGP public key
Dost, Alexander
2001-Nov-09 09:29 UTC
sshd can't change expired password on Sol8 with Openssh3.0p1 + PAM
Putting together what various testing produced: The problem is indeed the passwd -f command. It puts a zero into the lastchg field and this is never changed thereafter... pam_unix.so crashes and is not able to handle the zero-field. If you change /etc/shadow according to the below mentioned scheme "name:<passwd>:1:1:1", everything works fine. The only problem is that after login the other fields are not updated. The lastchg field is set correct, but the other (min/max/warn) are left alone pointing to '1' so after one day you will supposedly be asked again to change. But this is another problem, I think when you manually change these files. Thanks all for the help Alex> -----Original Message----- > From: Mark D. Baushke [SMTP:mdb at juniper.net] > Sent: Thursday, November 08, 2001 22:09 > To: Scott Burch > Cc: Ed Phillips; Dost, Alexander; OpenSSH Development > Subject: Re: sshd can't change expired password on Sol8 with > Openssh3.0p1 + PAM > > Hi Scott, > > You may find a problem building under Solaris 2.6 with references to > 'struct rlimit64' this may be cured by either removing the line > > #define _FILE_OFFSET_BITS 64 > > in the config.h file or adding the lines > > /* Define if _FILE_OFFSET_BITS also needs _LARGEFILE64_SOURCE defined */ > #define _LARGEFILE64_SOURCE 1 > > to config.h this is due to a bug in the AC_SYS_LARGEFILE macro used in > configure.ac > > Good luck, > -- Mark > > > Message-ID: <009701c16890$d2ad32f0$f24318ac at ent.core.medtronic.com> > > From: "Scott Burch" <scott.burch at camberwind.com> > > To: "Ed Phillips" <ed at UDel.Edu>, "Dost, Alexander" > <Alexander.Dost at drkw.com> > > Cc: "OpenSSH Development" <openssh-unix-dev at mindrot.org> > > References: <Pine.SOL.4.30.0111081432500.25771-100000 at mahler.udel.edu> > > Subject: Re: sshd can't change expired password on Sol8 with > Openssh3.0p1 + PAM > > Date: Thu, 8 Nov 2001 14:06:16 -0600 > > > > Hello, > > > > For Solaris 2.6 the patch is 106271-08 from 9/17/01. I am about to > build on > > 2.6 and will verify that this works. > > > > -Scott > > > > ----- Original Message ----- > > From: "Ed Phillips" <ed at UDel.Edu> > > To: "Dost, Alexander" <Alexander.Dost at drkw.com> > > Cc: "OpenSSH Development" <openssh-unix-dev at mindrot.org> > > Sent: Thursday, November 08, 2001 1:36 PM > > Subject: RE: sshd can't change expired password on Sol8 with > Openssh3.0p1 + > > PAM > > > > > > > Better Idea Alert! > > > > > > Try patch 111659-02 and you don't have to wait for 3 hours (right now) > > > while the Recommended Patch Set installs. > > > > > > Chances are, if there is a problem with pam_unix, this patch fixes it. > > > The buglist for this patch includes the following: > > > > > > 4112707 Password expiration (passwd -f) doesn't work correctly > > > > > > Also, if "passwd -f" is really the culprit (puts something in > /etc/shadow > > > that pam_unix.so doesn't like), you can try editing /etc/shadow by > hand > > > and make the entry look like: > > > > > > user:<encpw>:1:1:1:::: > > > > > > Hope this is helps... > > > > > > Ed > > > > > > On Thu, 8 Nov 2001, Ed Phillips wrote: > > > > > > > Date: Thu, 8 Nov 2001 14:26:54 -0500 (EST) > > > > From: Ed Phillips <ed at udel.edu> > > > > To: "Dost, Alexander" <Alexander.Dost at drkw.com> > > > > Cc: openssh-unix-dev at udel.edu > > > > Subject: RE: sshd can't change expired password on Sol8 with > > Openssh3.0p1 > > > > + PAM > > > > > > > > The reason I ask about the patches is because I think the problem > you're > > > > seeing might actually be a bug in pam_unix.so.1 - it's something to > try > > at > > > > least. We don't use password aging and we don't use the "passwd" > > command > > > > to change passwords, so we haven't run into this at our site even > though > > > > we probably don't have pam_unix.so patched up. Also, the passwd > command > > > > doesn't even work if you have something besides "files", "nis" or > "nis+" > > > > in the passwd line of /etc/nsswitch.conf (which we do). > > > > > > > > Ed > > > > > > > > Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082 > > > > Systems Programmer III, Network and Systems Services > > > > finger -l ed at polycut.nss.udel.edu for PGP public key > > > > > > > > > > > > > > Ed Phillips <ed at udel.edu> University of Delaware (302) 831-6082 > > > Systems Programmer III, Network and Systems Services > > > finger -l ed at polycut.nss.udel.edu for PGP public key > > > > > > > > > > >