bugzilla-daemon at mindrot.org
2002-Mar-27 15:43 UTC
[Bug 188] pam_chauthtok() is called too late
http://bugzilla.mindrot.org/show_bug.cgi?id=188 ------- Additional Comments From Nicolas.Williams at ubsw.com 2002-03-28 02:43 ------- Created an attachment (id=55) Patch to do pw aging in kbd-interactive ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2002-Mar-27 15:50 UTC
[Bug 188] pam_chauthtok() is called too late
http://bugzilla.mindrot.org/show_bug.cgi?id=188 ------- Additional Comments From Nicolas.Williams at ubsw.com 2002-03-28 02:50 ------- Attached patch. This patch does the following: - adds a boolean argument to do_pam_authenticate(), "can_age_pw_here" - do_pam_authenticate() always calls pam_acct_mgmt() and saves the result - do_pam_authenticate() calls pam_chauthtok() IFF (can_age_pw_here && pam_acct_mgmt() == PAM_NEW_AUTHTOK_REQD) - auth2_pam() calls do_pam_authenticate(0, 1) to allow password aging during keyboard-interactive authentication Cheers, Nico ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2002-Mar-27 18:00 UTC
[Bug 188] pam_chauthtok() is called too late
http://bugzilla.mindrot.org/show_bug.cgi?id=188 ------- Additional Comments From Nicolas.Williams at ubsw.com 2002-03-28 05:00 ------- The patch I attached earlier fixes the pbug wfor keyboard-interactive userauth. For password userauth I think OpenSSH should either support SSH_MSG_USERAUTH_PASSWD_CHANGEREQ or not even try password aging over the TTY session as it does now. Implementing password aging over the tty session is a *security bug* if the underlying password validation mechanism is Kerberos (e.g., via PAM_KRB5) because Kerberos cannot authenticate a user whose password is expired, yet by the time the TTY session is setup the server considers the user to be authenticated and then client is free to open any channels it wants. Cheers, Nico ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2002-Mar-27 20:27 UTC
[Bug 188] pam_chauthtok() is called too late
http://bugzilla.mindrot.org/show_bug.cgi?id=188 ------- Additional Comments From Nicolas.Williams at ubsw.com 2002-03-28 07:27 ------- Created an attachment (id=56) Second version of previous patch - also disables password aging in password userauth ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2002-Apr-23 13:39 UTC
[Bug 188] pam_chauthtok() is called too late
http://bugzilla.mindrot.org/show_bug.cgi?id=188 ------- Additional Comments From djm at mindrot.org 2002-04-23 23:38 ------- The PAM privsep changes will have broken this patch - can you remake it against -current? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.