search for: pam_change_expired_authtok

Hi All. This patch calls pam_chauthtok() to change an expired password via PAM during keyboard-interactive authentication (SSHv2 only). It is tested on Redhat 8 and Solaris 8. In theory, it should have simply been a matter of calling pam_chauthtok with the PAM_CHANGE_EXPIRED_AUTHTOK flag, it'd only change the password is if it's expired, right? From the Solaris pam_chauthtok man page: [quote] PAM_CHANGE_EXPIRED_AUTHTOK The password service should only update those pass- words that have aged. If this flag is not passed, all pa...

----- Forwarded message from Andrea Barisani <lcars at infis.univ.trieste.it> ----- Date: Fri, 2 May 2003 14:01:33 +0200 From: Andrea Barisani <lcars at infis.univ.trieste.it> To: openssh at openssh.com Subject: openssh 3.6.1_p2 problem with pam Hi, I've just updated to openssh 3.6.1_p2 and I notice this behaviour: # ssh -l lcars mybox [2 seconds delay] lcars at mybox's

...v)); @@ -290,9 +314,28 @@ sshpam_thread(void *ctxtp) sshpam_err = pam_authenticate(sshpam_handle, 0); if (sshpam_err != PAM_SUCCESS) goto auth_fail; + + if (compat20) { + if (do_pam_account()) { + if (sshpam_new_authtok_reqd) { + sshpam_err = pam_chauthtok(sshpam_handle, + PAM_CHANGE_EXPIRED_AUTHTOK); + if (sshpam_err != PAM_SUCCESS) + goto auth_fail; + pam_password_change_required(0); + } + } else { + goto auth_fail; + } + } + buffer_put_cstring(&buffer, "OK"); #ifndef USE_POSIX_THREADS + /* Export variables set by do_pam_account */ + buffer_put_int(&buf...

...@ sshpam_thread(void *ctxtp) sshpam_err = pam_authenticate(sshpam_handle, 0); if (sshpam_err != PAM_SUCCESS) goto auth_fail; +#ifndef DISABLE_KBDINT_CHAUTHTOK + if (compat20) { + if (do_pam_account() && sshpam_new_authtok_reqd) { + sshpam_err = pam_chauthtok(sshpam_handle, + PAM_CHANGE_EXPIRED_AUTHTOK); + if (sshpam_err != PAM_SUCCESS) + goto auth_fail; + sshpam_new_authtok_reqd = 0; /* XXX: reset fwd flags */ + } + } +#endif buffer_put_cstring(&buffer, "OK"); ssh_msg_send(ctxt->pam_csock, sshpam_err, &buffer); buffer_free(&buffer); @@ -532,11 +546,16 @@ fi...

...e, PAM_CONV, (const void *)&tty_conv); if (sshpam_err != PAM_SUCCESS) fatal("PAM: failed to set PAM_CONV: %s", pam_strerror(sshpam_handle, sshpam_err)); debug("PAM: changing password"); sshpam_err = pam_chauthtok(sshpam_handle, PAM_CHANGE_EXPIRED_AUTHTOK); The conversation functions also have a debug() at the start announcing that they've been called and the number of messages passed. If I run the server[1] in debug mode with PAM enabled and privilege separation off, and connect with SSHv1 with an account that has an expired password, t...

...s expired. This needs to be called after an interactive + * session is established and the user's pty is connected to + * stdin/stout/stderr. + */ +void do_pam_chauthtok() +{ + int pam_retval; + + if (password_change_required) { + pamstate = OTHER; + do { + pam_retval = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK); + } while (pam_retval != PAM_SUCCESS); } } @@ -238,12 +291,11 @@ debug("Starting up PAM with username \"%.200s\"", pw->pw_name); - pam_retval = pam_start(SSHD_PAM_SERVICE, pw->pw_name, &conv, - (pam_handle_t**)&pamh); + pam_retval = pam_start(SSHD_P...

...id *)&pam_conv); if (sshpam_err != PAM_SUCCESS) fatal("PAM: failed to set PAM_CONV: %s", - pam_strerror(sshpam_handle, sshpam_err)); + pam_strerror(grab_pamh(0, NULL), sshpam_err)); debug("PAM: changing password"); - sshpam_err = pam_chauthtok(sshpam_handle, PAM_CHANGE_EXPIRED_AUTHTOK); + sshpam_err = pam_chauthtok(grab_pamh(0, NULL), PAM_CHANGE_EXPIRED_AUTHTOK); if (sshpam_err != PAM_SUCCESS) fatal("PAM: pam_chauthtok(): %s", - pam_strerror(sshpam_handle, sshpam_err)); + pam_strerror(grab_pamh(0, NULL), sshpam_err)); } /* @@ -706,7 +803,7 @@ compou...

Hello there, We are using OpenSSH_3.9p1, OpenSSL 0.9.7d 17 Mar 2004 on various Solaris boxes with PAM and an LDAP server back end. Recently we have added a requirement for users to have complex passwords. The problem is, if a user's password has expired, when they log in they are prompted for a new password (good) but if they enter a non-complex new password the session is closed rather than

...ug3: mm_request_receive_expect entering: type 26 debug3: mm_request_receive entering debug3: mm_get_keystate: GOT new keys debug3: mm_auth_password: user authenticated [preauth] However all I can see from the "password_change_required" is code in auth-pam.c to set the auth token to PAM_CHANGE_EXPIRED_AUTHTOK, but no RFC4252 style communication. Then later. debug2: ## DH: userauth_finish [preauth] debug3: auth2_update_methods_lists: updating methods list after "password" [preauth] debug2: authentication methods list 0 complete [preauth] debug2: ## DH: about to do_pam_account [preaut...

...tcred(int init) { @@ -344,17 +354,15 @@ do_pam_set_conv(&conv); if (password_change_required) { - if (use_privsep) - fatal("Password changing is currently unsupported" - " with privilege separation"); pamstate = OTHER; pam_retval = pam_chauthtok(__pamh, PAM_CHANGE_EXPIRED_AUTHTOK); if (pam_retval != PAM_SUCCESS) fatal("PAM pam_chauthtok failed[%d]: %.200s", pam_retval, PAM_STRERROR(__pamh, pam_retval)); -#if 0 /* XXX: This would need to be done in the parent process, * but there's currently no way to pass such request. */ + password_chan...

I have tried this patch (against 3.5p1) and would very much like it to be in the OpenSSH 3.6p1 release, if possible: http://bugzilla.mindrot.org/show_bug.cgi?id=14 On that note, I'd like the Sun BSM patch to be included also, if possible. I have it working applied to 3.5p1: http://bugzilla.mindrot.org/show_bug.cgi?id=125 In fact, both patches work together, apparently. If I have any

...tcred(int init) { @@ -344,17 +354,15 @@ do_pam_set_conv(&conv); if (password_change_required) { - if (use_privsep) - fatal("Password changing is currently unsupported" - " with privilege separation"); pamstate = OTHER; pam_retval = pam_chauthtok(__pamh, PAM_CHANGE_EXPIRED_AUTHTOK); if (pam_retval != PAM_SUCCESS) fatal("PAM pam_chauthtok failed[%d]: %.200s", pam_retval, PAM_STRERROR(__pamh, pam_retval)); -#if 0 /* XXX: This would need to be done in the parent process, * but there's currently no way to pass such request. */ + password_chan...

...a packet during conversation"); - } - - if (context_pam2.num_received == context_pam2.num_expected) { - *resp = context_pam2.responses; - return PAM_SUCCESS; - } else - return PAM_CONV_ERR; + err = pam_acct_mgmt(sshpamh, 0); + if (err == PAM_NEW_AUTHTOK_REQD) + err = pam_chauthtok(sshpamh, PAM_CHANGE_EXPIRED_AUTHTOK); + if (err != PAM_SUCCESS) + goto auth_fail; +#endif + sshpam_send(ctxt, "=OK"); + pam_end(sshpamh, err); + exit(0); + + auth_fail: + sshpam_send(ctxt, "!%s", pam_strerror(sshpamh, err)); + pam_end(sshpamh, err); + exit(0); } -void -input_userauth_info_response_pam(int type...

...le(context_pam2.finished == 0) { - done = 1; - dispatch_run(DISPATCH_BLOCK, &done, appdata_ptr); - if(context_pam2.finished == 0) - debug("extra packet during conversation"); - } + err = pam_acct_mgmt(sshpamh, 0); + if (err == PAM_NEW_AUTHTOK_REQD) + err = pam_chauthtok(sshpamh, PAM_CHANGE_EXPIRED_AUTHTOK); + if (err != PAM_SUCCESS) + goto auth_fail; +#endif + sshpam_send(ctxt, "=OK"); + pam_end(sshpamh, err); + exit(0); + + auth_fail: + sshpam_send(ctxt, "!%s", pam_strerror(sshpamh, err)); + pam_end(sshpamh, err); + exit(0); +} - if(context_pam2.num_received == context_pam2.n...