search for: sp_lstchg

...when account is locked */ If I lock at account with passwd -l sp_expire is still -1. I tried this on Solaris as well and it seems sp_expire is only for account expiration. The solution on HP-UX 10.20 and 11.0 is to use the getprpw(3) interface. And: /* Check password expiry */ if ((spw->sp_lstchg > 0) && (spw->sp_max > 0) && (days > (spw->sp_lstchg + spw->sp_max))) return 0; If I expire a password with passwd -f: -f Force user to change password upon next login by expiring the current password. sp_lastchg i...

...-0000 @@ -80,18 +80,35 @@ if (!pw || !pw->pw_name) return 0; +#define DAY (24L * 60 * 60) /* 1 day in seconds */ spw = getspnam(pw->pw_name); if (spw != NULL) { - int days = time(NULL) / 86400; + time_t today = time(NULL) / DAY; + debug3("allowed_user: today %d sp_expire %d sp_lstchg %d" + " sp_max %d", (int)today, (int)spw->sp_expire, + (int)spw->sp_lstchg, (int)spw->sp_max); - /* Check account expiry */ - if ((spw->sp_expire >= 0) && (days > spw->sp_expire)) + /* + * We assume account and password expiration occurs t...

...Linux-2.4.0-test7 with glibc-2.1.3. No PAM is installed/used. It uses MD5 passwords and shadow with account expiration feature. In handling of the latter, a probable bug was found. In auth.c, allowed_user(), there is a code at the line 73, saying ... /* Check password expiry */ if ((spw->sp_lstchg > 0) && (spw->sp_inact > 0) && (days > (spw->sp_lstchg + spw->sp_inact))) return 0; } ... In my opinion, this is wrong. sp_inact tells how long the account may remain inactive until it is locked, measured from the last login time. It is set to 30 days for a...

Hi. I have found a error of openssh-2.1.1p2 port on systems with a mixture of shadowed and non-shadowed passwords. I reported a same type of error to Mr. Miller when openssh-1.2.1pre23 was released. On our systems, our local machines have shadowed /etc/passwd (and /etc/shadow) and our NIS server distributes non-shadowed password of general users. We have to use

Hi Damien, I noticed you merged a couple of ifdefs in the fix for bug #442. The cvs comment says "Fix Bug #442 for PAM case". The code is now roughly: #if !defined(USE_PAM) && defined(HAVE_SHADOW_H) && \ !defined(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE) spw = getspnam(pw->pw_name); passwd = spw->sp_pwdp; #else passwd =

...; + /* import */ extern ServerOptions options; *************** *** 81,93 **** int days = time(NULL) / 86400; /* Check account expiry */ ! if ((spw->sp_expire >= 0) && (days > spw->sp_expire)) return 0; /* Check password expiry */ if ((spw->sp_lstchg >= 0) && (spw->sp_max >= 0) && ! (days > (spw->sp_lstchg + spw->sp_max))) ! return 0; } #else /* Shouldn't be called if pw is NULL, but better safe than sorry... */ --- 84,106 ---- int days = time(NULL) / 86400; /* Check account expi...

...sh? Is doing so even desired, since it's fairly trivial to implement outside of openssh? On a related note, there was a change some time ago which made allowed_user reject users whose password has been set to "force change" with passwd -f (or equivalent). (Specifically, the check for sp_lstchg was set to >= 0 rather than > 0). The result is that there's no way to force a user to change his password on next login, because doing so makes him unable to log in. Is there any reason not to reverse this? Digging throught the list archives, it looks like the change was suggested by ste...

...d(DISABLE_SHADOW) && defined(HAS_SHADOW_EXPIRE) #define DAY (24L * 60 * 60) /* 1 day in seconds */ spw = getspnam(pw->pw_name); if (spw != NULL) { - time_t today = time(NULL) / DAY; + time_t expiredate, today = time(NULL) / DAY; debug3("allowed_user: today %d sp_expire %d sp_lstchg %d" " sp_max %d", (int)today, (int)spw->sp_expire, (int)spw->sp_lstchg, (int)spw->sp_max); @@ -106,20 +113,28 @@ if (spw->sp_lstchg == 0) { log("User %.100s password has expired (root forced)", pw->pw_name); - return 0; + pass...

I have used SSHD from openssh-3.7.1p1 on HP-UX 11:11. It works correctly and the entry in the logfile is: Sep 24 07:01:20 garm sshd[6625]: Accepted password for japs from 192.38.97.131 port 2463 Next I have upgraded to openssh-3.7.1p2 and restarted SSHD. It does not accept the password any more and the entries in the logfile are: Sep 24 12:21:38 garm sshd[19542]: User japs not allowed because

...puppet manifest which would propogate to all our servers, thus updating all our passwords. The problem is, the User type (w/ manage_passwords enabled and ruby- shadow installed) will only set the password in /etc/shadow, but it doesn''t manage any of the other shadow parameters, namely the sp_lstchg parameter). As a result, after our 90-day period, all of our passwords have updated, but the individual machines still think that the passwords have expired, and refuses to let us log in. This seems a bug in the User type, in that if the password changes from the previous password, it should also...

Could everyone please test the latest snapshots as we will be making a new release soon. If you have any patches you would like us to consider, please resend them to the list ASAP. -d -- | Damien Miller <djm at mindrot.org> \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer

...at pobox.com 2002-04-25 05:03 ------- changing an expired password is not supported on non-PAM configurations. but i am continuing to look into this and hope to have a fix in the next release. getspent(3) expire fields are not well documented and there is at least one issue with how we interpret sp_lstchg now. *** This bug has been marked as a duplicate of 14 *** ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.

Hello, I have recently downloaded and compiled openssh-3.7.1p2 on both HP-UX 10.20 and HP-UX 11.00. The compile went fine. Logging in on the system used for the build works fine. However, logging in on a different system (where the newly compiled openssh is installed) results in the following error: Permission denied (publickey,password,keyboard-interactive). I have tried several things I

Dear All, I can install OpenSSH 3.7.1p2 with OpenSSL 0.9.7c on HP-UX 11.0 without problem. However, I find that all valid accounts are treated as "locked" (even specify "AllowUsers USER1" in sshd_config) and can't make SSH connection to the server. Here is the message shown in syslog.log. Oct 3 16:49:17 SERVER_NAME sshd[12994]: User USER1 not allowed because account is

...mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user randy service ssh-connection method none debug1: attempt 0 failures 0 debug3: allowed_user: today 11868 sp_expire -1 sp_lstchg 11868 sp_max 99999 debug3: Trying to reverse map address 10.10.10.2. debug2: input_userauth_request: setting up authctxt for randy debug2: input_userauth_request: try method none Failed none for randy from 10.10.10.2 port 4351 ssh2 debug1: userauth-request for user randy service ssh-connection meth...

..._server_config: config reprocess config len 852 debug3: auth_shadow_acctexpired: today 2 sp_expire -1 days left -3 debug3: account expiration disabled debug2: input_userauth_request: setting up authctxt for admin debug2: input_userauth_request: try method none debug3: auth_shadow_pwexpired: today 2 sp_lstchg -1 sp_max 99999 Failed none for admin from 192.168.0.65 port 59719 ssh2 debug3: userauth_finish: failure partial=0 next methods="publickey,password" debug1: userauth-request for user admin service ssh-connection method password debug1: attempt 1 failures 0 debug2: input_userauth_request:...

...ey and 1024 bit host key. debug1: Encryption type: 3des debug1: cipher_init: set keylen (16 -> 32) debug1: cipher_init: set keylen (16 -> 32) debug1: Received session key; encryption turned on. debug1: Installing crc compensation attack detector. debug3: allowed_user: today 11858 sp_expire -1 sp_lstchg 11857 sp_max -1 debug1: Attempting authentication for komanek. debug1: temporarily_use_uid: 112/20 (e=0) debug1: trying public RSA key file /home/komanek/.ssh/authorized_keys debug1: restore_uid Failed rsa for komanek from 195.113.56.1 port 1022 debug1: Kerberos v4 password authentication for koman...

...ebug3: mm_request_send entering: type 6 debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM debug3: mm_request_receive_expect entering: type 7 debug3: mm_request_receive entering debug3: monitor_read: checking request 6 debug3: mm_answer_pwnamallow debug3: allowed_user: today 12025 sp_expire -1 sp_lstchg 12025 sp_max 99999 debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1 debug3: mm_request_send entering: type 7 debug2: monitor_read: 6 used once, disabling now debug3: mm_request_receive entering debug2: input_userauth_request: setting up authctxt for sshd debug3: mm_inform_authserv enterin...

...de 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user natis service ssh-connection method none debug1: attempt 0 failures 0 debug3: allowed_user: today 12244 sp_expire -1 sp_lstchg 12240 sp_max -1 debug2: input_userauth_request: setting up authctxt for natis debug2: input_userauth_request: try method none Accepted none for natis from 192.168.1.1 port 1199 ssh2 debug1: Entering interactive session for SSH2. debug1: fd 7 setting O_NONBLOCK debug1: fd 8 setting O_NONBLOCK debug1...

...de 1 debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug2: set_newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: KEX done debug1: userauth-request for user natis service ssh-connection method none debug1: attempt 0 failures 0 debug3: allowed_user: today 12244 sp_expire -1 sp_lstchg 12240 sp_max -1 debug2: input_userauth_request: setting up authctxt for natis debug2: input_userauth_request: try method none Accepted none for natis from 192.168.1.1 port 1199 ssh2 debug1: Entering interactive session for SSH2. debug1: fd 7 setting O_NONBLOCK debug1: fd 8 setting O_NONBLOCK debug1...