Hi I just "stumbled" over the flags settings in pam_password_change_required(). As far as I looked over the OpenSSH code, setting/resetting the 2nd bit in those flags from auth-options.c whould only make sense if the flags are checked to be 0/1 in the remaining OpenSSH code. Frank
Frank Mohr wrote:> I just "stumbled" over the flags settings in > pam_password_change_required(). > As far as I looked over the OpenSSH code, setting/resetting the 2nd bit > in those flags from auth-options.c whould only make sense if the flags > are checked to be 0/1 in the remaining OpenSSH code.Think: bit 1 = disabled by server config, bit 2 = disabled because password is expired and not yet changed. Bit 2 gets cleared if the user successfully changes the password, but if the server config denies it then the forwarding request will still be denied. The code that checks those flags looks like: if (!no_port_forwarding_flag) [...] -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
sorry ... my fault these are all "no_*" flags that get true with the 2nd bit set writing down the question sometimes helps to find the answer by myself. frank Frank Mohr wrote:> > Hi > > I just "stumbled" over the flags settings in > pam_password_change_required(). > As far as I looked over the OpenSSH code, setting/resetting the 2nd bit > in those flags from auth-options.c whould only make sense if the flags > are checked to be 0/1 in the remaining OpenSSH code. > > Frank
Maybe Matching Threads
- [PATCH] Do PAM chauthtok via keyboard-interactive.
- PAM namespace.
- [Bug 808] segfault if not using pam/keyboard-interactive mech and password's expired
- [Bridge] help setting up a linux bridge with spanning tree to allow multiple vlans accross multiple uplinks
- Error with USE_POSIX_THREADS and OpenSSH-3.8p1