openssh unix dev - Dec 2002 - Password expiry related clarification in OpenSSH3.5p1

fyi (i'm behind in following the passord expire efforts).

----- Forwarded message from Logu <logsnaath at gmx.net> -----

Date: Sat, 7 Dec 2002 02:42:52 +0530
From: "Logu" <logsnaath at gmx.net>
To: <stevesk at cvs.openbsd.org>
Cc: <kumaresh_ind at gmx.net>
Subject: Password expiry related clarification in OpenSSH3.5p1

Hello Stevesk,

We are using OpenSSH3.1p1 and now planned to shift to OpenSSH3.5p1. Among
other changes, we would like to know specifically the reasons for the
commented part of the PAM account expiration part in auth-pam.c.
Why this part of the code is not used in 3.5p1? Is there any specific
reasons for not using this part of the code? 

#if 0
  case PAM_NEW_AUTHTOK_REQD:
   message_cat(&__pam_msg, use_privsep ?
       NEW_AUTHTOK_MSG_PRIVSEP : NEW_AUTHTOK_MSG);
   /* flag that password change is necessary */
   password_change_required = 1;
   /* disallow other functionality for now */
   no_port_forwarding_flag |= 2;
   no_agent_forwarding_flag |= 2;
   no_x11_forwarding_flag |= 2;
   break;
#endif


Please reply.

Thanks
Logsnaath.



----- End forwarded message -----

Kevin Steves wrote:
> fyi (i'm behind in following the passord expire efforts).
> ----- Forwarded message from Logu <logsnaath at gmx.net> -----
> Date: Sat, 7 Dec 2002 02:42:52 +0530
> From: "Logu" <logsnaath at gmx.net>
[snip]
> We are using OpenSSH3.1p1 and now planned to shift to OpenSSH3.5p1. Among
> other changes, we would like to know specifically the reasons for the
> commented part of the PAM account expiration part in auth-pam.c.
> Why this part of the code is not used in 3.5p1? Is there any specific
> reasons for not using this part of the code?
That's because it doesn't work with privsep, no?

The bit I don't get is in auth-pam.c:
#if 0
	/* XXX: This would need to be done in the parent process,
	 * but there's currently no way to pass such request. */
	no_port_forwarding_flag &= ~2;
	[snip]
#endif
I think that should read "child process", assuming chauthtok is run by
the monitor.

I've done a fair amount of work on various expiry methods, but what I
need is someone to say "do X and the results will be merged".  The
only
thing I'm certain of is everybody wants something different.

Some of the patches are at http://www.zip.com.au/~dtucker/openssh/, the
rest can be found in the list archives.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.