openssh unix dev - Jan 2003 - [Bug 14] Can't change expired /etc/shadow password without PAM

http://bugzilla.mindrot.org/show_bug.cgi?id=14





------- Additional Comments From dtucker at zip.com.au  2003-01-09 23:17 -------
Created an attachment (id=199)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=199&action=view)
Implement password change via /bin/passwd in session.

openssh-passexpire10.patch:

* Implementes shadow and AIX password expiry.
* Adds general expire_message and login_message Buffers to replace
platform-specific variables.
* Implements PasswordExpireWarningDays and ForcedPasswdChange options.
* Uses SIGUSR1 to reset password change flag.
* Net reduction in #ifdefs.

Tested on AIX, Solaris and Redhat.



------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

http://bugzilla.mindrot.org/show_bug.cgi?id=14





------- Additional Comments From djm at mindrot.org  2003-01-09 23:37 -------
I have had a quick look over the patch. It looks good, though I am unsure about
the extra options (can't we always get these from shadow?).

It is very tempting to ignore PAM password changing (for the non-kbdint case)
and just use this method - on a PAM enabled system, passwd should be PAM enabled
too.



------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

http://bugzilla.mindrot.org/show_bug.cgi?id=14

dtucker at zip.com.au changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         OS/Version|other                       |All



------- Additional Comments From dtucker at zip.com.au  2003-01-10 00:30 -------
I had seen those options in a man page for ssh-1.2.something and assumed that 
they would be needed.

For PasswordExpireWarningDays, you're right, I missed the sp_warn field in
spwd.
 AIX doesn't need it either, its warning messages are generated by 
passwdexpired().

Not sure about ForcedPasswdChange, should the admin have this option?  (if you 
don't want password expiry then don't turn it on)

The last time someone suggested PAM-chauthtok-via-passwd the objection was that 
passwd used the "passwd" PAM service and sshd used the
"sshd" service and they
might do different things (although normally they don't).  Is this a
PAM-purist
thing?

(Changed platform to "All", this bug covers a lot of them).



------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

http://bugzilla.mindrot.org/show_bug.cgi?id=14

dtucker at zip.com.au changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
 Attachment #199 is|0                           |1
           obsolete|                            |



------- Additional Comments From dtucker at zip.com.au  2003-01-10 01:06 -------
Created an attachment (id=200)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=200&action=view)
passexpire-11: Put back shadow expiry and delete options

openssh-passexpire-11:
I screwed up the last merge from cvs and the shadow stuff wasn't there. 
This
one adds it back in, uses spw->sp_warn and removes the options.



------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

http://bugzilla.mindrot.org/show_bug.cgi?id=14





------- Additional Comments From dtucker at zip.com.au  2003-01-10 20:56 -------
passexpire-11 is broken (doesn't correctly check for change), please ignore.
I'm working on a fix.



------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

http://bugzilla.mindrot.org/show_bug.cgi?id=14

dtucker at zip.com.au changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
 Attachment #200 is|0                           |1
           obsolete|                            |



------- Additional Comments From dtucker at zip.com.au  2003-01-11 10:06 -------
Created an attachment (id=201)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=201&action=view)
passexpire12: password expiry via /bin/passwd in session

Now (correctly I hope!) checks that the password is changed successfully.

Adds is_password_change_required() and privsep wrapper.  This re-tests the
account and resets the change flag.  This is necessary because passwd sometimes
does not return a failure exit code (eg AIX in the "your password has been
expired too long and only the admin can change it" case).

Tested on AIX 4.3.3, Solaris 8 and Redhat 8.  Should work on any platform with
/etc/shadow and any version of AIX 4 (unsure about previous versions).

The equivalent patch against the 3.5p1 release is at
http://www.zip.com.au/~dtucker/openssh/openssh-3.5p1-passexpire12.patch.



------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

http://bugzilla.mindrot.org/show_bug.cgi?id=14

dtucker at zip.com.au changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
 Attachment #201 is|0                           |1
           obsolete|                            |



------- Additional Comments From dtucker at zip.com.au  2003-01-14 23:26 -------
Created an attachment (id=205)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=205&action=view)
passexpire13: add support for comma-in-passwd expiry

This patch against the cvs tree adds support for comma-in-password-type
password expiry, in addition to AIX and /etc/shadow support.

This requires pw_age in struct passwd and includes a configure test for this.

Also include cosmetic changes (eg "1 days left" -> "1 day
left").

Tested on HP-UX 11.00 non-trusted config.  It should be possible to support
trusted config without PAM via getprpwnam and friends, but this has not been
written yet.



------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

http://bugzilla.mindrot.org/show_bug.cgi?id=14

dtucker at zip.com.au changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
 Attachment #205 is|0                           |1
           obsolete|                            |



------- Additional Comments From dtucker at zip.com.au  2003-02-01 20:38 -------
Created an attachment (id=215)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=215&action=view)
passexpire15: removes privsep call, HP-UX support

Adds /bin/passwd-in-session password expiration support.
* configure finds passwd
* supports /etc/shadow & AIX platforms
* uses SIGUSR1 to reset forwarding flags after successful change
* warns users of impending account/password expiry
* generates and stores AIX & PrintLastLog messages before privsep split
(this
also fixes bug #463).

Changes relative to previous patch:
* remove invalid privsep call
* remove HP-UX password expiry
* detects over-expired AIX password (this will cause passwd to bomb without
setting a failure code and thus let the user login)

This patch is a cleanup, I don't intend making any further changes unless a
flaw is discovered.  If it gets in and there's sufficient interest I'll
look at
re-implementing the HP-UX support (which currently can only do expiry through
PAM).

The equivalent patch against 3.5p1 will be available at
http://www.zip.com.au/~dtucker/openssh/openssh-3.5p1-passexpire15.patch

I'd like to acknowledge that these patches are originally based on patches
by
Pablo Sor (psor at afip gov ar) and Mark Pitt (mark.pitt at ch ibm com) and the
AIX loginsuccess() changes are based on work by Kevin Cawlfield (cawlfiel at
austin ibm com).



------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.