| Summary: | Open ssh will not allow changing of passwords on usernames greater than 8 characters. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Portable OpenSSH | Reporter: | andrew jones <andrew.jones> | ||||
| Component: | ssh | Assignee: | Assigned to nobody <unassigned-bugs> | ||||
| Status: | CLOSED FIXED | ||||||
| Severity: | major | Keywords: | help-wanted | ||||
| Priority: | P2 | ||||||
| Version: | 3.9p1 | ||||||
| Hardware: | SPARC | ||||||
| OS: | Solaris | ||||||
| Bug Depends on: | |||||||
| Bug Blocks: | 1155 | ||||||
| Attachments: |
|
||||||
|
Description
andrew jones
2006-06-09 00:25:37 AEST
I believe this is a bug or limitation in Solaris' "passwd" command (which is what sshd invokes under the covers in this situation) which occurs when the username is more than 8 characters, and that if you run "/bin/passwd abcdefghi" on the command line you will see the same error.
I can suggest the following things to try:
1) Don't have usernames more than 8 characters long on Solaris (or at least, that version), since it does not appear to be supported.
2) configure sshd to only allow authentication via challenge-response authentication ("PasswordAuthentication no" and "ChallengeResponseAuthentication yes") which will allow sshd to change expired passwords by calling pam_chauthtok() directly (assuming this works, I have not tried it under those conditions). This is more likely to work with the current OpenSSH version (4.3p2) than 3.9p1.
3) Configure sshd with UsePrivilegeSeparation=no. This will mean that sshd will have the privileges required to call pam_chauthtok() rather than execute /bin/passwd. (again, if it works as I've not tried it)
4) ask Sun to fix /bin/passwd to work properly with usernames longer than 8 chars.
According to Andrew, Sun has the following to say on the subject: [quote] The truncation of usernames to 8 characters is a known limitation. Technically Solaris (2.5.1 - 10) doesn't officially support usernames longer than 8 characters (see useradd(1M), which warns you when creating a long username). Solaris will run and allow logins with longer names however, several commands, like /bin/passwd, and other utilities are unable to handle them properly. Many RFEs have been logged to get this changed, but they've all been closed in the past as "Will not fix" due to the requirement to keep inter-operability between the Solaris releases. This point of view is being reviewed and an RFE for this is limitation is currently open (Bug/RFE: 4109819). Until this is changed, the only way users with long usernames will be able to change their passwd is by explicitly calling /bin/passwd with the full username: $ /bin/passwd longusername [/quote] I suggest trying rebuilding OpenSSH with "./configure --with-cflags=-DPASSWD_NEEDS_USERNAME" which will do what is described above. I'm not sure if it will have any other side effects though (on some platforms that only works for root, and by the time sshd invokes passwd it has already given up all of its privileges). Created attachment 1149 [details]
Define PASSWD_NEEDS_USERNAME for Solaris
Brief experimentation indicates that this will work. Is it worth adding this as a workaround?
it looks sane, but will need testing across the solaris[-es/en] we support (In reply to comment #4) > it looks sane, but will need testing across the solaris[-es/en] we > support I can test 2.5.1, 8 and 9. 10 (and maybe opensolaris) would be important to test but I'm less worried about the ones in the middle. Note for anyone testing the patch: you will need to run "autoreconf" from autoconf-2.59 to rebuild configure before reconfiguring and building. Tested OK on the systems I have access to. Patch applied and will be in OpenSSH 4.4. With the release of 4.4, we believe that this bug is now closed. For information about the release please see http://www.openssh.com/txt/release-4.4 . |