search for: has_shadow_expire

...base properly. Apart from misdocumenting /etc/shadow as having 4 fields when in fact it has 5 (including the "last changed" field), its getspnam() fills in the sp_expire field of the spwd structure with 0. And since by default, shadow support is enabled and the configure script turns on HAS_SHADOW_EXPIRE when it finds that field, the built sshd ends up refusing all connections on the grounds of an expired account. I have dealt with this temporarily by hacking as follows: ========== cut ========= *** auth-shadow.c.was Sun Apr 29 02:10:58 2007 --- auth-shadow.c Wed Sep 19 01:04:18 2007 ****...

Hi Damien, I noticed you merged a couple of ifdefs in the fix for bug #442. The cvs comment says "Fix Bug #442 for PAM case". The code is now roughly: #if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \ !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE) spw = getspnam(pw->pw_name); passwd = spw->sp_pwdp; #else passwd = pw->pw_passwd; #endif [test for locked passwd entry] If the platform is using PAM, /etc/passwd is checked regardless of whether or not it actually has /etc/shadow. If the platform has /etc/shad...

http://bugzilla.mindrot.org/show_bug.cgi?id=723 Summary: Password expire not working properly Product: Portable OpenSSH Version: -current Platform: Sparc OS/Version: Solaris Status: NEW Severity: major Priority: P2 Component: Build system AssignedTo: openssh-bugs at mindrot.org ReportedBy:

...120,6 +120,7 @@ int auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt); int auth_krb5_password(Authctxt *authctxt, const char *password); void krb5_cleanup_proc(Authctxt *authctxt); +void session_krb5_use_ccache(Authctxt *authctxt); #endif /* KRB5 */ #if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE) --- orig/session.c +++ mod/session.c @@ -1462,20 +1462,22 @@ * home directory is in AFS and it's not world-readable. */ - if (options.kerberos_get_afs_token && k_hasafs() && - (s->authctxt->krb5_ctx != NULL)) { - char cell[64]; + if (options.kerberos_get_a...

...is listed @@ -75,21 +81,22 @@ const char *hostname = NULL, *ipaddr = NULL; char *shell; int i; -#ifdef WITH_AIXAUTHENTICATE - char *loginmsg; -#endif /* WITH_AIXAUTHENTICATE */ #if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \ !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE) struct spwd *spw; +#endif /* Shouldn't be called if pw is NULL, but better safe than sorry... */ if (!pw || !pw->pw_name) return 0; + buffer_init(&expire_message); +#if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \ + !defined(DISABLE_SHADOW) && de...

...running IRIX 6.5.14. When I try expiring a user password in the /etc/shadow file, I cannot login. I continually get prompted for my password and I never get logged in. I viewed the config.h file after doing a ./configure in the openssh directory and found the following flags turned on: #define HAS_SHADOW_EXPIRE 1 #define HAVE_SHADOW_H 1 Could you please let me know of any extra compiling flags or other fixes for this problem? Thank you, Ryan Bathauer ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=442 ------- Additional Comments From dtucker at zip.com.au 2002-11-24 14:25 ------- Created an attachment (id=181) --> (http://bugzilla.mindrot.org/attachment.cgi?id=181&action=view) Test for locked account in allowed_user() Tested on Redhat 8 and Solaris 8. ------- You are receiving this mail because: ------- You are the assignee for

...t i; #if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) @@ -85,8 +85,7 @@ allowed_user(struct passwd * pw) return 0; #if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) - if (!options.use_pam) - spw = getspnam(pw->pw_name); + spw = getspnam(pw->pw_name); #ifdef HAS_SHADOW_EXPIRE #define DAY (24L * 60 * 60) /* 1 day in seconds */ if (!options.use_pam && spw != NULL) {

...example, "root") entries and getpwnam(3) for non-shadowed users' entries. Otherwise, the function "allowed_user" in auth.c of openssh-2.1.1p2 has the following lines: 59 #if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) && \ 60 defined(HAS_SHADOW_EXPIRE) 61 struct spwd *spw; 62 63 /* Shouldn't be called if pw is NULL, but better safe than sorry */ 64 if (!pw) 65 return 0; 66 67 spw = getspnam(pw->pw_name); 68 if (spw == NULL) 69 return 0; . So, getspnam will re...

...r attached debug file] I have installed OpenSSH-3.8 without any password expiry patch and that also works with PAM_LDAP with Shadow passwords. I am wondering why 3.7.1p2 alone do not work when 3.6, and 3.8 works. Both 3.7 and 3.8 have the following macros in config.h #undef DISABLE_SHADOW #define HAS_SHADOW_EXPIRE 1 #define HAVE_SHADOW_H 1 #define HAVE_SECURITY_PAM_APPL_H 1 #define USE_PAM 1 #define PAM_SUN_CODEBASE 1 #define HAVE_LIBPAM 1 /* #undef PAM_TTY_KLUDGE */ /* #undef HAVE_OLD_PAM */ /* #undef HAVE_PAM_GETENVLIST */ /* #undef HAVE_PAM_PUTENV */ Some more info on the PAM_LDAP library used on the sys...

...* Debugging messages */ Buffer auth_debug; @@ -86,9 +87,10 @@ if (!pw || !pw->pw_name) return 0; +#define DAY (24L * 60 * 60) /* 1 day in seconds */ +#define WEEK (DAY * 7) /* 1 week in seconds */ #if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) && \ defined(HAS_SHADOW_EXPIRE) -#define DAY (24L * 60 * 60) /* 1 day in seconds */ if (!options.use_pam && (spw = getspnam(pw->pw_name)) != NULL) { today = time(NULL) / DAY; debug3("allowed_user: today %d sp_expire %d sp_lstchg %d" @@ -221,6 +223,65 @@ stat(_PATH_NOLOGIN, &st) == 0))...

...* Debugging messages */ Buffer auth_debug; @@ -86,9 +87,10 @@ if (!pw || !pw->pw_name) return 0; +#define DAY (24L * 60 * 60) /* 1 day in seconds */ +#define WEEK (DAY * 7) /* 1 week in seconds */ #if defined(HAVE_SHADOW_H) && !defined(DISABLE_SHADOW) && \ defined(HAS_SHADOW_EXPIRE) -#define DAY (24L * 60 * 60) /* 1 day in seconds */ if (!options.use_pam && (spw = getspnam(pw->pw_name)) != NULL) { today = time(NULL) / DAY; debug3("allowed_user: today %d sp_expire %d sp_lstchg %d" @@ -221,6 +223,65 @@ stat(_PATH_NOLOGIN, &st) == 0))...

Hi All. With one eye on the do_pam_chauthtok() stuff I've merged contributions by Pablo Sor and Mark Pitt into a patch against -current. I'm interested in testers and suggestions for improvements. The patch extends the loginrestrictions test to include expired accounts (but unlike Mark's patch, doesn't log accounts with expired passwords unless they're locked) and adds

...GSSAPI */ /* #undef KRB5 */ /* #undef HEIMDAL */ /* #undef USE_AFS */ /* #undef SKEY */ /* #undef LIBWRAP */ #define HAVE_LOGIN 1 #define HAVE_DAEMON 1 #define HAVE_GETPAGESIZE 1 #define XAUTH_PATH "/usr/X11R6/bin/xauth" /* #undef HAVE_MD5_PASSWORDS */ /* #undef DISABLE_SHADOW */ #define HAS_SHADOW_EXPIRE 1 /* #undef HAVE_OSF_SIA */ /* #undef HAVE_GETPWANAM */ /* #undef HAVE_OLD_PAM */ /* #undef PAM_SUN_CODEBASE */ /* #undef MAIL_DIRECTORY */ #define HAVE_U_INT 1 #define HAVE_INTXX_T 1 #define HAVE_U_INTXX_T 1 #define HAVE_UINTXX_T 1 #define HAVE_INT64_T 1 #define HAVE_U_INT64_T 1 #define HAVE_U_CHA...

I have used SSHD from openssh-3.7.1p1 on HP-UX 11:11. It works correctly and the entry in the logfile is: Sep 24 07:01:20 garm sshd[6625]: Accepted password for japs from 192.38.97.131 port 2463 Next I have upgraded to openssh-3.7.1p2 and restarted SSHD. It does not accept the password any more and the entries in the logfile are: Sep 24 12:21:38 garm sshd[19542]: User japs not allowed because

OpenSSH 3.0 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly. OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support. This release contains many portability bug-fixes (listed in the ChangeLog) as well as several new features (listed below). We would like to thank the

Hi, The 4.4p1 release is approaching now, so we are now asking people to actively test snapshots or CVS and report back to the mailing list. Snapshots are available from http://www.mindrot.org/openssh_snap or from any of the mirrors listed on http://www.openssh.org/portable.html The latter page also includes instructions for checking out portable OpenSSH via anonymous CVS. This release