search for: password_change_required

...ore generic. (There's actually a net reduction in #ifdefs). Patch against CVS: 1) configure finds passwd. 2) sshd uses passwd during session if required. 3) sshd uses passwd for PAM change if privsep disabled. 4) sshd uses Buffers for expire and post-login messages (no longer AIX specific). 5) password_change_required generalized (no longer PAM specific). Tested on the following configurations: Redhat 8 (without PAM) AIX 4.3.3 Solaris 8 (without PAM) HP-UX 11.0 (trusted configuration, with PAM) I'm confused about this from auth-pam.c: /* XXX: This would need to be done in the parent process, * but there&...

...nclude "xmalloc.h" #include "canohost.h" +#include "misc.h" +#include "auth-options.h" #if !defined(HAVE_OSF_SIA) /* Don't need any of these headers for the SIA cases */ @@ -82,6 +84,7 @@ extern ServerOptions options; extern Buffer loginmsg; +int password_change_required = 0; /* * Tries to authenticate the user using password. Returns true if @@ -248,4 +251,81 @@ /* Authentication is accepted if the encrypted passwords are identical. */ return (strcmp(encrypted_password, pw_password) == 0); #endif /* !HAVE_OSF_SIA */ +} + +/* + * Perform generic password...

...t; +#include "misc.h" +#include "buffer.h" #include "openbsd-compat/xcrypt.h" #ifdef WITH_AIXAUTHENTICATE # include "buffer.h" # include "canohost.h" -extern Buffer loginmsg; #endif extern ServerOptions options; +extern Buffer loginmsg; +int password_change_required = 0; /* * Tries to authenticate the user using password. Returns true if @@ -168,4 +172,81 @@ } # endif #endif /* !HAVE_OSF_SIA */ +} + +/* + * Perform generic password change via tty. Like do_pam_chauthtok(), + * it throws a fatal error if the password can't be changed. + */ +int +d...

...et the password */ -/* into PAM and to pick up any messages generated by PAM into pamconv_msg */ +/* states for pamconv() */ +typedef enum { INITIAL_LOGIN, OTHER } pamstates; +static pamstates pamstate = INITIAL_LOGIN; +/* remember whether pam_acct_mgmt() returned PAM_NEWAUTHTOK_REQD */ +static int password_change_required = 0; + +/* + * PAM conversation function. + * There are two states this can run in. + * + * INITIAL_LOGIN mode simply feeds the password from the client into + * PAM in response to PAM_PROMPT_ECHO_OFF, and collects output + * messages with pam_msg_cat(). This is used during initial + * authenticat...

Hi, I was doing some research on why new openssh-versions (3.4 and 3.5p1) doesnt ask you to change expired passwords (it just disconnects you) and found something curious. Line 259 of auth-pam.c has "#if 0" and then the code to set some vars (eg. password_change_required to true) followed by an "endif". Why is that? I'm not a C expert, but I think "if 0" is a non-possible situation, right? I then removed these conditions, and it worked just fine, changed my password as it should.. btw, yes, I removed "Privilege Separation" to...

...case PAM_SUCCESS: /* This is what we want */ break; -#if 0 case PAM_NEW_AUTHTOK_REQD: - message_cat(&__pam_msg, use_privsep ? - NEW_AUTHTOK_MSG_PRIVSEP : NEW_AUTHTOK_MSG); + message_cat(&__pam_msg, NEW_AUTHTOK_MSG); /* flag that password change is necessary */ password_change_required = 1; /* disallow other functionality for now */ @@ -267,7 +266,6 @@ no_agent_forwarding_flag |= 2; no_x11_forwarding_flag |= 2; break; -#endif default: log("PAM rejected by account configuration[%d]: " "%.200s", pam_retval, PAM_STRERROR(__pamh, @@...

...case PAM_SUCCESS: /* This is what we want */ break; -#if 0 case PAM_NEW_AUTHTOK_REQD: - message_cat(&__pam_msg, use_privsep ? - NEW_AUTHTOK_MSG_PRIVSEP : NEW_AUTHTOK_MSG); + message_cat(&__pam_msg, NEW_AUTHTOK_MSG); /* flag that password change is necessary */ password_change_required = 1; /* disallow other functionality for now */ @@ -267,7 +266,6 @@ no_agent_forwarding_flag |= 2; no_x11_forwarding_flag |= 2; break; -#endif default: log("PAM rejected by account configuration[%d]: " "%.200s", pam_retval, PAM_STRERROR(__pamh, @@...

...ed by account configuration" error message. I noticed that this functionality has been disabled in auth-pam.c #if 0 case PAM_NEW_AUTHTOK_REQD: message_cat(&__pam_msg, use_privsep ? NEW_AUTHTOK_MSG_PRIVSEP : NEW_AUTHTOK_MSG); /* flag that password change is necessary */ password_change_required = 1; /* disallow other functionality for now */ no_port_forwarding_flag |= 2; no_agent_forwarding_flag |= 2; no_x11_forwarding_flag |= 2; break; #endif ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

...Why this part of the code is not used in 3.5p1? Is there any specific reasons for not using this part of the code? #if 0 case PAM_NEW_AUTHTOK_REQD: message_cat(&__pam_msg, use_privsep ? NEW_AUTHTOK_MSG_PRIVSEP : NEW_AUTHTOK_MSG); /* flag that password change is necessary */ password_change_required = 1; /* disallow other functionality for now */ no_port_forwarding_flag |= 2; no_agent_forwarding_flag |= 2; no_x11_forwarding_flag |= 2; break; #endif Please reply. Thanks Logsnaath. ----- End forwarded message -----

...m_request_receive entering debug1: do_pam_account: called debug2: do_pam_account: auth information in SSH_AUTH_INFO_0 debug3: PAM: sshpam_passwd_conv called with 1 messages debug3: PAM: do_pam_account pam_acct_mgmt = 12 (Authentication token is no longer valid; new one required) debug3: sshpam_password_change_required 1 debug3: mm_request_send entering: type 103 Accepted password for dhubbard2 from 192.168.13.1 port 50263 ssh2 debug1: monitor_child_preauth: dhubbard2 has been authenticated by privileged process debug3: mm_get_keystate: Waiting for new keys debug3: mm_request_receive_expect entering: type 26...

Here is a patch that does TIS auth via PAM. It's controlled by a switch in the sshd_config. You'd use it by having a PAM module that sets PAM_PROMPT_ECHO_ON. eg, you could use it with pam_skey or pam_smxs. The patch is against the 2.9.9p2 distribution. I'm not on the list, a reply if this patch is accepted would be great. (But not required, I know some folks have a distaste for

..." @@ -54,6 +56,8 @@ /* states for do_pam_conversation() */ enum { INITIAL_LOGIN, OTHER } pamstate = INITIAL_LOGIN; +/* which type of prompts we should handle, set in auth_pam_password */ +static int pamprompt; /* remember whether pam_acct_mgmt() returned PAM_NEWAUTHTOK_REQD */ static int password_change_required = 0; /* remember whether the last pam_authenticate() succeeded or not */ @@ -98,6 +102,10 @@ int count; char buf[1024]; + u_int dlen; + int plen, type; + char *response; + /* PAM will free this later */ reply = malloc(num_msg * sizeof(*reply)); if (reply == NULL) @@ -111,10 +119,40 @@...

I have tried this patch (against 3.5p1) and would very much like it to be in the OpenSSH 3.6p1 release, if possible: http://bugzilla.mindrot.org/show_bug.cgi?id=14 On that note, I'd like the Sun BSM patch to be included also, if possible. I have it working applied to 3.5p1: http://bugzilla.mindrot.org/show_bug.cgi?id=125 In fact, both patches work together, apparently. If I have any