openssh unix dev - Jan 2015 - Usability issue when forced to change password when logging in to a system

John Olsson M wrote:
> What about changing the dialog like this? (The instructions matches better
I think there's a good case to be made for OpenSSH to not provide any
instructions at all unless it is in charge of the dialog itself.

Have you checked that the current instructions are actually output by
OpenSSH? The string seems to be in openbsd-compat/bsd-cray.c inside
#ifdef _UNICOS

> Login As: Foobar
> Password:
> Your password has expired. Retype your old password.
I'd argue simply for "Your password has expired."
> Old Password:
> Choose a new password.
> New Password:
> Retype your new password
> New Password:
> Could this be implemented without the need for caching any password
Why don't you try? All arguments are better received with a patch.


//Peter

Why don't you try? All arguments are better received with a patch.

Sure! :)

Where can I find instructions on how to setup my own build and test 
environment for OpenSSH development on Ubuntu 14.04? Any official 
OpenSSH design rules I should consider (apart from following the style 
already used in the source code)?

The initial dialog example (that motivated me to send the initial email 
to the list) comes from a system based on SLED 11 SP3.

When checking, the actual dialog presented at login is identical to what 
happens when you run the passwd command in the shell to change your 
password. Thus it seems like the dialog texts does not originate from 
OpenSSH itself. So the "culprit" might actually be PAM...


/John

On 2015-01-26 12:33, Peter Stuge wrote:
> John Olsson M wrote:
>> What about changing the dialog like this? (The instructions matches
better
> I think there's a good case to be made for OpenSSH to not provide any
> instructions at all unless it is in charge of the dialog itself.
>
> Have you checked that the current instructions are actually output by
> OpenSSH? The string seems to be in openbsd-compat/bsd-cray.c inside
> #ifdef _UNICOS
>
>
>> Login As: Foobar
>> Password:
>> Your password has expired. Retype your old password.
> I'd argue simply for "Your password has expired."
>
>> Old Password:
>> Choose a new password.
>> New Password:
>> Retype your new password
>> New Password:
>
>> Could this be implemented without the need for caching any password
> Why don't you try? All arguments are better received with a patch.
>
>
> //Peter
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

On Tue, Jan 27, 2015 at 6:40 AM, John Olsson M <john.m.olsson at
ericsson.com>
wrote:
> Why don't you try? All arguments are better received with a patch.
>
> Sure! :)
>
> Where can I find instructions on how to setup my own build and test
> environment for OpenSSH development on Ubuntu 14.04?

The general requirements and build instructions are in the INSTALL file.
The -dev packages you need for Debian based distros like Ubuntu are listed
in README.platform.

> Any official OpenSSH design rules I should consider (apart from following
> the style already used in the source code)?
>
OpenSSH follows the OpenBSD style:
http://www.openbsd.org/cgi-bin/man.cgi/OpenBSD-current/man9/style.9

> The initial dialog example (that motivated me to send the initial email to
> the list) comes from a system based on SLED 11 SP3.
>
> When checking, the actual dialog presented at login is identical to what
> happens when you run the passwd command in the shell to change your
> password. Thus it seems like the dialog texts does not originate from
> OpenSSH itself. So the "culprit" might actually be PAM...

It could be PAM.   What is odd is that the transcript you originally posted
does not contain the text "You must change your password now and login
again!" which sshd prints when it changes passwd by exec'ing
/bin/passwd.

If you are investigating PAM's behaviour you might want to try the test
harness tool I wrote for this purpose:
http://www.dtucker.net/patches/#pamtest

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

John Olsson M wrote:
> Where can I find instructions on how to setup my own build and test 
> environment for OpenSSH development on Ubuntu 14.04?
git clone https://anongit.mindrot.org/openssh.git
cd openssh
autoreconf -fi
./configure --prefix=/tmp/ossh && make install

Now make changes, then run git commit, then git show to review your
commit, when you are happy with it run git format-patch -1 to save it
into a patch file which you either email to the list or attach in
bugzilla.

> it seems like the dialog texts does not originate from OpenSSH itself.
Then there's of course nothing sshd can do to fix it.


//Peter