search for: force_pwchang

http://bugzilla.mindrot.org/show_bug.cgi?id=14 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- OtherBugsDependingO| |793 nThis| | ------- You are receiving this mail because: ------- You are on the CC list for

...ugs at mindrot.org ReportedBy: buckh at pobox.com if you don't authenticate via pam/keyboard-interactive, then when do_pam_account figures out your password is expired and calls pam_password_change_required, the latter will probably segfault when it dereferences the uninitialized int *force_pwchange. this is b/c, if you don't authenticate using the PRIVSEP(sshpam_device), sshpam_init_ctx is never called, so force_pwchange isn't properly initialized i'll attach a workaround patch, but not without serious misgivings about how crappy it is, so it won't hurt my feelings if you co...

...+extern struct sshauthopt *auth_opts; #define DAY (24L * 60 * 60) /* 1 day in seconds */ #define TWO_WEEKS (2L * 7 * DAY) /* 2 weeks in seconds */ @@ -122,8 +123,11 @@ auth_password(struct ssh *ssh, const char *password) } #endif result = sys_auth_passwd(ssh, password); - if (authctxt->force_pwchange) + if (authctxt->force_pwchange) { auth_restrict_session(ssh); + /* Allow password change via pty */ + auth_opts->permit_pty_flag = 1; + } return (result && ok); } Is this an intentional change (auth_restrict_session) or is just an oversight to enable the PTY back to allow...

http://bugzilla.mindrot.org/show_bug.cgi?id=1188 Summary: keyboard-interactive should not allow retry after pam_acct_mgmt fails Product: Portable OpenSSH Version: -current Platform: Other OS/Version: All Status: NEW Severity: normal Priority: P2 Component: PAM support

...ng users completely out of the system unless they always change their passwords before they expire, or there is an alternate access path (such as telnet) to work around the problem. The attached patch corrects this issue for password-based authentication by checking the password status and setting force_pwchange when appropriate. Other authentication methods (including my favorite, public-key-based) are still screwed up because I couldn't figure out where to hook in the password check. :-p I hope this patch, or better yet an improved more comprehensive version, will be included in future releases....

...problem. I know it looks like an odd combination, but regardless of how I choose to authenticate, my account is still accessible via a password in so many ways, and so that password must be changed regularly. sshd appears to be crashing in pam_password_change_required(). I can only assume that force_pwchange is not initialised. I'll know soon after I get a version of openssh built with debugging symbols, but that'll have to wait until Monday. Lloyd

In our password settings we have: > samba-tool domain passwordsettings show : Password complexity: on Store plaintext passwords: off : Minimum password age (days): 0 Maximum password age (days): 90 : I don't find any setting for how many days before the expiration to warn users about the pending expiration. On Windows, users seem to get notified about a pending password expiration at

...- usr.bin/ssh/auth-passwd.c 2006/08/03 03:34:41 1.40 +++ usr.bin/ssh/auth-passwd.c 2006/09/18 09:35:52 @@ -144,7 +144,7 @@ if (as == NULL) return (0); if (auth_getstate(as) & AUTH_PWEXPIRED) { - auth_close(as); + auth_close_do_env(authctxt, as); disable_forwarding(); authctxt->force_pwchange = 1; return (1); @@ -153,7 +153,7 @@ expire_checked = 1; warn_expiry(authctxt, as); } - return (auth_close(as)); + return (auth_close_do_env(authctxt, as)); } } #else Index: usr.bin/ssh/auth.h =================================================================== RCS file: /cvs/sr...

Hi, SSH brute force attacks seem to enjoy increasing popularity. Call me an optimist or a misrouted kind of contributer to the community, but on our company server I actually go through the logs and report extreme cases to the providers of the originating IP's. With the increasing number of these attacks, however, I have now decided that it's better to move the SSHd to a different

I looked around for a while, but couldn't find any code for requiring multiple authentication mechanisms in openssh. So I wrote an implemention. I thought at first I should change the PasswordAuthentication, PubkeyAuthentication, etc. keywords to allow no/yes/required. But there's some funky stuff in auth2.c with respect to keyboard interactive auth that would make this kind of