search for: sshpam_password_change_required

...Priority: P2 Component: PAM support AssignedTo: unassigned-bugs at mindrot.org ReportedBy: ssanders at opnet.com Created attachment 2164 --> https://bugzilla.mindrot.org/attachment.cgi?id=2164 Zone in auth-pam.c where issue lies. Near line 482 in auth-pam.c, sshpam_password_change_required(0) is called. This will have the effect of preventing PAM_NEW_AUTHTOK_REQD from being transmitted back to the parent process. In turn, this will prevent any password updates from occurring at login time. If one comments the line out or changes to sshpam_password_change_required(1), sshd will p...

...cct_mgmt(sshpam_handle, 0); - debug3("PAM: %s pam_acct_mgmt = %d", __func__, sshpam_err); - - if (sshpam_err != PAM_SUCCESS && sshpam_err != PAM_NEW_AUTHTOK_REQD) { - sshpam_account_status = 0; - return (sshpam_account_status); - } - - if (sshpam_err == PAM_NEW_AUTHTOK_REQD) - sshpam_password_change_required(1); - - sshpam_account_status = 1; - return (sshpam_account_status); -} - void do_pam_set_tty(const char *tty) { @@ -939,6 +918,45 @@ static struct pam_conv store_conv = { sshpam_store_conv, NULL }; +u_int +do_pam_account(void) +{ + struct pam_conv *OldConv; + if (sshpam_account_status != -...

...sswd_conv called with 1 messages debug1: PAM: password authentication accepted for fred debug1: do_pam_account: called debug3: PAM: sshpam_passwd_conv called with 1 messages debug3: PAM: do_pam_account pam_acct_mgmt = 12 (Authentication token is no longer valid; new one required.) debug3: sshpam_password_change_required 1 Accepted password for fred from 127.0.0.1 port 32786 ssh2 debug1: PAM: establishing credentials debug3: PAM: opening session debug1: Entering interactive session for SSH2. debug2: fd 4 setting O_NONBLOCK debug2: fd 5 setting O_NONBLOCK debug1: server_init_dispatch_20 debug1: serve...

...sh_msg_send: type 0 Jul 13 17:05:31 tatiana sshd[25597]: [ID 800047 auth.debug] debug1: PAM: Your password will expire in 3 days. Jul 13 17:05:31 tatiana sshd[25597]: [ID 800047 auth.debug] debug3: PAM: import_environments entering Jul 13 17:05:31 tatiana sshd[25597]: [ID 800047 auth.debug] debug3: sshpam_password_change_required 0 Jul 13 17:05:31 tatiana sshd[25597]: [ID 800047 auth.debug] debug3: PAM: num env strings 0 Jul 13 17:05:31 tatiana sshd[25597]: [ID 800047 auth.debug] debug1: PAM: num PAM env strings 0 Jul 13 17:05:31 tatiana sshd[25597]: [ID 800047 auth.debug] debug3: mm_request_send entering: type 51 Jul 13 17...

...bug3: mm_request_receive entering debug1: do_pam_account: called debug2: do_pam_account: auth information in SSH_AUTH_INFO_0 debug3: PAM: sshpam_passwd_conv called with 1 messages debug3: PAM: do_pam_account pam_acct_mgmt = 12 (Authentication token is no longer valid; new one required) debug3: sshpam_password_change_required 1 debug3: mm_request_send entering: type 103 Accepted password for dhubbard2 from 192.168.13.1 port 50263 ssh2 debug1: monitor_child_preauth: dhubbard2 has been authenticated by privileged process debug3: mm_get_keystate: Waiting for new keys debug3: mm_request_receive_expect entering: type 26...

...d returned 1 debug3: mm_request_receive entering debug3: mm_sshpam_query debug3: mm_request_send entering: type 50 debug3: monitor_read: checking request 50 debug3: mm_answer_pam_query debug3: PAM: sshpam_query entering debug3: ssh_msg_recv entering debug3: PAM: import_environments entering debug3: sshpam_password_change_required 0 debug3: PAM: num env strings 0 debug1: PAM: num PAM env strings 0 debug3: mm_request_send entering: type 51 debug3: mm_request_receive entering debug3: mm_sshpam_query: waiting for MONITOR_ANS_PAM_QUERY debug3: mm_request_receive_expect entering: type 51 debug3: mm_request_receive entering debug3...

...bug3: monitor_read: checking request 106 debug3: mm_answer_pam_query debug3: PAM: sshpam_query entering debug3: ssh_msg_recv entering debug1: do_pam_account: called debug3: PAM: do_pam_account pam_acct_mgmt = 0 (success) debug3: ssh_msg_send: type 0 debug3: PAM: import_environments entering debug3: sshpam_password_change_required 0 debug3: PAM: num env strings 0 debug1: PAM: num PAM env strings 0 debug3: mm_request_send entering: type 107 debug3: mm_sshpam_query: pam_query returned 0 [preauth] Postponed keyboard-interactive/pam for admin from ::1 port 50860 ssh2 [preauth] Received disconnect from ::1: 10: [preauth] debug1:...

...Dec 16 22:22:13 knasim-ubuntu1 sshd[8569]: debug3: PAM: sshpam_passwd_conv called with 1 messages Dec 16 22:22:13 knasim-ubuntu1 sshd[8569]: debug3: PAM: do_pam_account pam_acct_mgmt = 12 (Authentication token is no longer valid; new one required) Dec 16 22:22:13 knasim-ubuntu1 sshd[8569]: debug3: sshpam_password_change_required 1 Dec 16 22:22:13 knasim-ubuntu1 sshd[8569]: debug3: mm_request_send entering: type 103 Dec 16 22:22:13 knasim-ubuntu1 sshd[8569]: Accepted password for nasim from 128.224.145.117 port 52060 ssh2 Dec 16 22:22:13 knasim-ubuntu1 sshd[8569]: debug1: monitor_child_preauth: nasim has been authenticated...

Hi folks, I came across this issue on both stock CentOS(v6.4) and Ubuntu(14.04 LTS) and was wondering if any of you have seen it. As far as I can tell this seems like a day-1 bug to me. PROBLEM: If I expire a linux user's password (passwd -e <user>) and then log in via ssh, it will prompt you for a password change. On changing the password successfully, sshd will drop the connection