Hi, The Solaris password requirements like a. no empty password b. minimum 6 chars etc for a regualr user are not enforced when a password expired user is changing password at the SSH login prompt. The version of openSSH I am using is 3.8.1 and Solaris 8 is where the sshd is running. Is anybody aware of this problem? Is there some configuration option I can use to enforce these password requirements? If its a bug, is there a patch already? I appreciate any help on this. Thanks Srini
Srinivas Gopaladasu wrote:> The Solaris password requirements like > a. no empty password > b. minimum 6 chars > etc for a regular user are not enforced when a password expired user is > changing password at the SSH login prompt.It would appear that those restrictions are implemented in /usr/bin/passwd and not the PAM modules. Since sshd just calls pam_chauthtok(), if PAM allows changing to a short or empty password, then that's what happens. This is probably a bug or design misfeature in the Solaris PAM module (others, eg LinuxPAM, enforce such restrictions). You can disable PAM, or force sshd to use passwd instead of chauthtok with the attached patch. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: chauthtok.patch Url: http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20040729/7049cfbd/attachment-0002.ksh
On Thu, 2004-07-29 at 04:28, Darren Tucker wrote:> Srinivas Gopaladasu wrote: > > The Solaris password requirements like > > a. no empty password > > b. minimum 6 chars > > etc for a regular user are not enforced when a password expired user is > > changing password at the SSH login prompt. > > It would appear that those restrictions are implemented in > /usr/bin/passwd and not the PAM modules.Not true they are implemented in pam_unix or pam_authtok_check (which you have depends on your Solaris 8 patch level).> Since sshd just calls > pam_chauthtok(), if PAM allows changing to a short or empty password, > then that's what happens. This is probably a bug or design misfeature > in the Solaris PAM module (others, eg LinuxPAM, enforce such restrictions).Or a bug in how OpenSSH calls PAM on Solaris and a design difference between the Solaris and LinuxPAM modules. If OpenSSH is calling pam_chauthtok when its real uid is 0 then the Solaris pam_unix and pam_authtok_check modules assume that this is root changing a users password and thus the restrictions need not apply so the checks are not run. -- Darren J Moffat
Srinivas Gopaladasu wrote:> My only problem which I think probably be easily fixed is, any messages > by Solaris are not displayed. > For ex, it shows as below:[...]> Any idea why the messages from Solaris are suppressed?As soon as the PAM call completes, the keyboard-interactive machinery considers the authentication attempt complete and no further keyboard-interactive messages are sent for that round. PAM ERROR_MSG and TEXT_INFO messages are collected and sent with the prompts to the user. The upshot is any ERROR_MSG or TEXT_INFO messages sent after PROMPT_ECHO* will not be displayed if the authentication fails. If the authentication succeeds, the remaining messages are stored for display to the user after login. It would be possible within the protocol to have a final message in the kbdint round with the message in the "instruction" field but zero prompts. I don't know how hard that would be to implement. There's a couple of other options (USERAUTH_BANNER, eg [1] or packet_disconnect). [1] http://bugzilla.mindrot.org/show_bug.cgi?id=892 -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Maybe Matching Threads
- LinuxPAM and sshd: changing conversation function doesn't work but claims to.
- [Bug 2876] New: PAM_TEXT_INFO and PAM_ERROR_MSG conversation not honoured during PAM authentication
- 5.1p on RHEL 3 and password expiration
- [Bug 1065] password expiration and SSH keys don't go well together
- [PATCH]: Call pam_chauthtok from keyboard-interactive.