sshd skips passwd -f <username> password expiry when runs with "UsePAM no" option.
Created attachment 609 [details] server-log
Created attachment 610 [details] Client_log sshd skips passwd change while Telnet prompts for a password change
Comment on attachment 609 [details] server-log [snip] >debug3: mm_request_receive entering >debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss >Failed publickey for mid from 127.0.0.1 port 49365 ssh2 The server log appears incomplete, there should be a section that looks like: debug3: monitor_read: checking request 10 debug3: auth_shadow_pwexpired: today 12529 sp_lstchg 12407 sp_max 99999 Could you please attach that. Also, what are the shadow settings in config.h? Do "grep SHADOW config.h" after running configure.
Created attachment 611 [details] serverlog_shadow_installed server-log with following options 1.shadow password installed 2.usepam no
Created attachment 612 [details] serverlog_noshadow_usepamno server log with following options 1. No shadow passwords in system 2. usepam no
Created attachment 613 [details] serverlog_noshadow_usepamyes server-log with following options 1.No shadow passwords 2.UsePAM yes
Michael, do you use password login? It seems with UsePAM=no, the password expiry code is only used for password logins, but not when using for example public key logins. At least, I only find one call to auth_shadow_pwexpired, which is in auth-passwd.c
Yes. It has been mentioned that the authentication used was password authentication. In sshd_config, the configurations are: UsePAM no ChallengeResponseAuthentication no PasswordAuthentication yes A member in the passwd structure in HP-UX decides the password aging and it is "char pw_age". [try "man 4 passwd" on HP-UX systems for details]. This is applicable for /etc/passwd file only. ssh code properly checks for the expired passwords with shadow passwords, with the field "spw->sp_expire" [function "auth_shadow_acctexpired()" in auth- shadow.c]. Thats why it works with Shadow passwords. So, IMHO, there has to be a check for the "pw_age" member when sshd is configured with "UsePAM no" and if the system do not have shadow support, as this case use /etc/passwd file.
Created attachment 615 [details] Add debug for pw_age That seems pretty much right, the only wrinkle is that "passwd -f" does not seem to set pw_age: debug1: passwd gNrjkysyT2/LM pw_age while /etc/passwd looks like this: testuser:gNrjkysyT2/LM,..:203[...]
Since the non-shadow age does not appear in the password field or pw_age field as returned by the OS, I don't see how sshd can handle this. Does anyone know how to check the password age in this case?
I have some idea. But before trying them, I need one clarification, the attachment id=615 deals with aging in auth-shadow.c. Is this checking of password aging in /etc/passwd should be done there or moved to auth-passwd.c. which would be the right place?
(In reply to comment #11) > Is this checking of > password aging in /etc/passwd should be done there or moved to auth-passwd.c. > which would be the right place? I don't think it matters much right now. I'd be more interested to see the code that can reliably detect this condition, then we can work out where is best fits. Since auth-passwd.c is present in both OpenBSD's sshd and Portable's, additions to it represent an ongoing maintenance hassle. In general, we prefer to avoid unnecessary differences in files that must be kept synced.
Created attachment 968 [details] Patch for honouring expired passwords in HP-UX The attached patch detect expired passwords when run with "Usepam no". If needed Im interested in implementing this fix on auth-passwd.c
auth-passwd.c