search for: passwdexpir

...ng EXCEPT this. Security problem is, this allows access when access should be denied. Default for expires is -1, which means a password will expire as in maxage, but the user can change his password at anytime, however once set, access should be denied. Being a simple soul, I have added a routine passwdexpires ( AIX Lib ) directly after loginrestrictions with the same code. I think this should be urgently added to the code - hope this helps. auth.c /* mpi change expiresmsg */ #ifdef WITH_AIXAUTHENTICATE char *loginmsg; char *expiresmsg; int passexpcode; #endif /* WITH_AIXAUTH...

http://bugzilla.mindrot.org/show_bug.cgi?id=869 Summary: Password expiration does not work for LDAP users Product: Portable OpenSSH Version: -current Platform: PPC OS/Version: AIX Status: NEW Severity: critical Priority: P2 Component: Miscellaneous AssignedTo: openssh-bugs at mindrot.org

http://bugzilla.mindrot.org/show_bug.cgi?id=1046 Summary: AIX 5.3 Garbage on Login Product: Portable OpenSSH Version: 4.0p1 Platform: PPC OS/Version: AIX Status: NEW Severity: normal Priority: P2 Component: ssh AssignedTo: bitbucket at mindrot.org ReportedBy: rajsingh at hotmail.com

...er: today %d sp_expire %d sp_lstchg %d" @@ -221,6 +223,65 @@ stat(_PATH_NOLOGIN, &st) == 0)) return 0; } + } + + /* + * Check AIX password expiry. Only check when running as root. + * Unpriv'ed users can't access /etc/security/passwd or + * /etc/security/user so passwdexpired will always fail. + */ + if (geteuid() == 0) { + char *msg, *user = pw->pw_name; + int result, maxage, result2, maxexpired; + struct userpw *upw; + + /* + * Check if password has been expired too long. In this case, + * passwdexpired still returns 1 but /bin/passwd will fail + * wh...

...er: today %d sp_expire %d sp_lstchg %d" @@ -221,6 +223,65 @@ stat(_PATH_NOLOGIN, &st) == 0)) return 0; } + } + + /* + * Check AIX password expiry. Only check when running as root. + * Unpriv'ed users can't access /etc/security/passwd or + * /etc/security/user so passwdexpired will always fail. + */ + if (geteuid() == 0) { + char *msg, *user = pw->pw_name; + int result, maxage, result2, maxexpired; + struct userpw *upw; + + /* + * Check if password has been expired too long. In this case, + * passwdexpired still returns 1 but /bin/passwd will fail + * wh...

...ogin restricted for %s: %.100s", pw->pw_name, loginmsg); } - /* Remove trailing newline */ - *--p = '\0'; - log("Login restricted for %s: %.100s", pw->pw_name, loginmsg); + return 0; } - return 0; + + /* check for AIX expired account */ + passexpcode = passwdexpired(pw->pw_name, &aixexpiremsg); + if ( passexpcode > 0 ) { + if (aixexpiremsg && *aixexpiremsg) { + aix_remove_embedded_newlines(aixexpiremsg); + + if ( passexpcode == 1 ) { + aix_password_change_required = 1; + } else { + /* expired too long, account lock...

...for %s: %.100s", pw->pw_name, msg); + xfree(msg); } - /* Remove trailing newline */ - *--p = '\0'; - log("Login restricted for %s: %.100s", pw->pw_name, loginmsg); + return 0; } - return 0; - } + + /* check for AIX expired account */ + passexpcode = passwdexpired(pw->pw_name, &msg); + buffer_append(&expire_message, msg, strlen(msg)); + + switch (passexpcode) { + case 0: /* success, password not expired */ + break; + case 1: /* expired, password change required */ + password_change_required = 1; + break; + default: /* expired...

Is it possible to get sshd to report the number of days till a password expires after a login ? If not, how else could I do it ? Thanks ___________________________________________________________ Paul Faure paul at engsoc.carleton.ca

...retval; /* * Get IP address of client. If the connection is not a socket, let @@ -730,6 +735,44 @@ #ifdef WITH_AIXAUTHENTICATE if (aixloginmsg && *aixloginmsg) printf("%s\n", aixloginmsg); +#endif /* WITH_AIXAUTHENTICATE */ + +#ifdef WITH_AIXAUTHENTICATE + + retval = passwdexpired(pw->pw_name,&msg); + + if (msg && *msg) + printf("%s\n",msg); + + if (retval == 1) { + + pid_t pid; + int status; + mysig_t old_signal; + + old_signal = mysignal(SIGCHLD, SIG_DFL); + + if ((pid = fork()) == -1) + fatal("Couldn't fork: %s", strerror(...

...message that my password will expire in xx days, but sshd shows that it is picking up that info (next three lines) debug1: sys_auth_passwd: msg Last unsuccessful login: Thu May 13 15:11:10 2004 on ssh from mxpgh0.cna.com Last login: Fri Jun 4 19:31:33 2004 on /dev/pts/13 from loopback debug3: AIX/passwdexpired returned 0 msg Your password will expire: Thu Aug 5 21:53:44 2004 The client just shows c020914 at localhost's password: ***************************************************** ! ! ! ! ! WARNING ! ! ! ! ! Unauthorized access and use of this system is not permitted and is strictly prohibited...

Hi there, I have just compiled up 3.6.1p2 both with and without Darren Tuckers passexpire patch. However, with the patch applied /etc/nologin isn't displayed to users (on AIX 5.1 / PSSP) The patched vesion seems to fail with "illegal user" - some parts of a debug 3 log... debug1: userauth-request for user ade45 service ssh-connection method none debug1: attempt 0 failures 0

...RD debug3: monitor_read: checking request 10 debug3: mm_request_receive_expect entering: type 11 debug3: inside auth_password debug3: mm_request_receive entering debug3: AIX/authenticate result 0, msg debug3: AIX SYSTEM attribute compat debug3: AIX/setauthdb set registry 'files' debug3: AIX/passwdexpired returned 0 msg debug3: aix_restoreauthdb: restoring old registry '' debug3: mm_answer_authpassword: sending result 1 debug3: mm_request_send entering: type 11 Accepted password for root from 192.168.0.113 port 4088 ssh2 debug3: mm_auth_password: user authenticated debug1: monitor_child_p...

http://bugzilla.mindrot.org/show_bug.cgi?id=14 ------- Additional Comments From dtucker at zip.com.au 2003-01-09 23:17 ------- Created an attachment (id=199) --> (http://bugzilla.mindrot.org/attachment.cgi?id=199&action=view) Implement password change via /bin/passwd in session. openssh-passexpire10.patch: * Implementes shadow and AIX password expiry. * Adds general expire_message

Hi, OpenSSH 7.8p1 is almost ready for release, so we would appreciate testing on as many platforms and systems as possible. This is a bugfix release. Snapshot releases for portable OpenSSH are available from http://www.mindrot.org/openssh_snap/ The OpenBSD version is available in CVS HEAD: http://www.openbsd.org/anoncvs.html Portable OpenSSH is also available via git using the instructions at

...xpect entering: type 13 [preauth] debug3: mm_request_receive entering [preauth] debug3: mm_request_receive entering debug3: monitor_read: checking request 12 debug3: AIX/authenticate result 0, authmsg debug3: AIX SYSTEM attribute compat debug3: AIX/setauthdb set registry 'files' debug3: AIX/passwdexpired returned 1 msg You are required to change your password. Please choose a new one. debug3: aix_restoreauthdb: restoring old registry '' debug3: mm_answer_authpassword: sending result 1 debug3: mm_request_send entering: type 13 Accepted password for cpdp from 10.1.0.161 port 54046 ssh2 deb...

I have a few patches for AIX. The patchfile is attached below. The patch has been tested on AIX4.2 and AIX4.3. The patch is on openssh-1.2.1pre25, with openssl-0.94, using RSAref. 1) authenticate support - this function allows the system to determine authentification. Whatever the system allows for login, authenticate will too. It doesn't matter whether it is AFS, DFS, SecureID, local.