bugzilla-daemon at mindrot.org
2003-Jan-09 12:17 UTC
[Bug 14] Can't change expired /etc/shadow password without PAM
bugzilla.mindrot.org/show_bug.cgi?id=14 ------- Additional Comments From dtucker at zip.com.au 2003-01-09 23:17 ------- Created an attachment (id=199) --> (bugzilla.mindrot.org/attachment.cgi?id=199&action=view) Implement password change via /bin/passwd in session. openssh-passexpire10.patch: * Implementes shadow and AIX password expiry. * Adds general expire_message and login_message Buffers to replace platform-specific variables. * Implements PasswordExpireWarningDays and ForcedPasswdChange options. * Uses SIGUSR1 to reset password change flag. * Net reduction in #ifdefs. Tested on AIX, Solaris and Redhat. ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon at mindrot.org
2003-Jan-09 12:37 UTC
[Bug 14] Can't change expired /etc/shadow password without PAM
bugzilla.mindrot.org/show_bug.cgi?id=14 ------- Additional Comments From djm at mindrot.org 2003-01-09 23:37 ------- I have had a quick look over the patch. It looks good, though I am unsure about the extra options (can't we always get these from shadow?). It is very tempting to ignore PAM password changing (for the non-kbdint case) and just use this method - on a PAM enabled system, passwd should be PAM enabled too. ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon at mindrot.org
2003-Jan-09 13:30 UTC
[Bug 14] Can't change expired /etc/shadow password without PAM
bugzilla.mindrot.org/show_bug.cgi?id=14 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- OS/Version|other |All ------- Additional Comments From dtucker at zip.com.au 2003-01-10 00:30 ------- I had seen those options in a man page for ssh-1.2.something and assumed that they would be needed. For PasswordExpireWarningDays, you're right, I missed the sp_warn field in spwd. AIX doesn't need it either, its warning messages are generated by passwdexpired(). Not sure about ForcedPasswdChange, should the admin have this option? (if you don't want password expiry then don't turn it on) The last time someone suggested PAM-chauthtok-via-passwd the objection was that passwd used the "passwd" PAM service and sshd used the "sshd" service and they might do different things (although normally they don't). Is this a PAM-purist thing? (Changed platform to "All", this bug covers a lot of them). ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon at mindrot.org
2003-Jan-09 14:06 UTC
[Bug 14] Can't change expired /etc/shadow password without PAM
bugzilla.mindrot.org/show_bug.cgi?id=14 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #199 is|0 |1 obsolete| | ------- Additional Comments From dtucker at zip.com.au 2003-01-10 01:06 ------- Created an attachment (id=200) --> (bugzilla.mindrot.org/attachment.cgi?id=200&action=view) passexpire-11: Put back shadow expiry and delete options openssh-passexpire-11: I screwed up the last merge from cvs and the shadow stuff wasn't there. This one adds it back in, uses spw->sp_warn and removes the options. ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon at mindrot.org
2003-Jan-10 09:56 UTC
[Bug 14] Can't change expired /etc/shadow password without PAM
bugzilla.mindrot.org/show_bug.cgi?id=14 ------- Additional Comments From dtucker at zip.com.au 2003-01-10 20:56 ------- passexpire-11 is broken (doesn't correctly check for change), please ignore. I'm working on a fix. ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon at mindrot.org
2003-Jan-10 23:06 UTC
[Bug 14] Can't change expired /etc/shadow password without PAM
bugzilla.mindrot.org/show_bug.cgi?id=14 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #200 is|0 |1 obsolete| | ------- Additional Comments From dtucker at zip.com.au 2003-01-11 10:06 ------- Created an attachment (id=201) --> (bugzilla.mindrot.org/attachment.cgi?id=201&action=view) passexpire12: password expiry via /bin/passwd in session Now (correctly I hope!) checks that the password is changed successfully. Adds is_password_change_required() and privsep wrapper. This re-tests the account and resets the change flag. This is necessary because passwd sometimes does not return a failure exit code (eg AIX in the "your password has been expired too long and only the admin can change it" case). Tested on AIX 4.3.3, Solaris 8 and Redhat 8. Should work on any platform with /etc/shadow and any version of AIX 4 (unsure about previous versions). The equivalent patch against the 3.5p1 release is at zip.com.au/~dtucker/openssh/openssh-3.5p1-passexpire12.patch. ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon at mindrot.org
2003-Jan-14 12:26 UTC
[Bug 14] Can't change expired /etc/shadow password without PAM
bugzilla.mindrot.org/show_bug.cgi?id=14 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #201 is|0 |1 obsolete| | ------- Additional Comments From dtucker at zip.com.au 2003-01-14 23:26 ------- Created an attachment (id=205) --> (bugzilla.mindrot.org/attachment.cgi?id=205&action=view) passexpire13: add support for comma-in-passwd expiry This patch against the cvs tree adds support for comma-in-password-type password expiry, in addition to AIX and /etc/shadow support. This requires pw_age in struct passwd and includes a configure test for this. Also include cosmetic changes (eg "1 days left" -> "1 day left"). Tested on HP-UX 11.00 non-trusted config. It should be possible to support trusted config without PAM via getprpwnam and friends, but this has not been written yet. ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
bugzilla-daemon at mindrot.org
2003-Feb-01 09:38 UTC
[Bug 14] Can't change expired /etc/shadow password without PAM
bugzilla.mindrot.org/show_bug.cgi?id=14 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #205 is|0 |1 obsolete| | ------- Additional Comments From dtucker at zip.com.au 2003-02-01 20:38 ------- Created an attachment (id=215) --> (bugzilla.mindrot.org/attachment.cgi?id=215&action=view) passexpire15: removes privsep call, HP-UX support Adds /bin/passwd-in-session password expiration support. * configure finds passwd * supports /etc/shadow & AIX platforms * uses SIGUSR1 to reset forwarding flags after successful change * warns users of impending account/password expiry * generates and stores AIX & PrintLastLog messages before privsep split (this also fixes bug #463). Changes relative to previous patch: * remove invalid privsep call * remove HP-UX password expiry * detects over-expired AIX password (this will cause passwd to bomb without setting a failure code and thus let the user login) This patch is a cleanup, I don't intend making any further changes unless a flaw is discovered. If it gets in and there's sufficient interest I'll look at re-implementing the HP-UX support (which currently can only do expiry through PAM). The equivalent patch against 3.5p1 will be available at zip.com.au/~dtucker/openssh/openssh-3.5p1-passexpire15.patch I'd like to acknowledge that these patches are originally based on patches by Pablo Sor (psor at afip gov ar) and Mark Pitt (mark.pitt at ch ibm com) and the AIX loginsuccess() changes are based on work by Kevin Cawlfield (cawlfiel at austin ibm com). ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.