Bug 188

Summary:

pam_chauthtok() is called too late

Product:

Portable OpenSSH

Reporter:

Nicolas Williams <Nicolas.Williams>

Component:

sshd

Assignee:

OpenSSH Bugzilla mailing list <openssh-bugs>

Status:

CLOSED WONTFIX

Severity:

major

CC:

dirk.bockmann, smueller

Priority:

Version:

-current

Hardware:

Other

OS:

All

Attachments:

Description	Flags
Patch to do pw aging in kbd-interactive	none
Second version of previous patch - also disables password aging in password userauth	none

Description Nicolas Williams 2002-03-27 09:24:40 AEDT

When pam_acct_mgmt() returns PAM_NEW_AUTHTOK_REQD pam_chauthtok()
must be the next PAM function called. That is, pam_chauthtok() MUST
be called before pam_open_session() and before
pam_setcred(PAM_ESTABLISH_CRED).

The point is: if the user's password is expired then the login process cannot
proceed too far before password changing is attempted.

This bug applies, or should apply, to any implementation of PAM. Thus I selected
"All" for the OS to which this bug applies.

Cheers,

Nico

Comment 1 Nicolas Williams 2002-03-28 02:43:27 AEDT

Created attachment 55 [details]
Patch to do pw aging in kbd-interactive

Comment 2 Nicolas Williams 2002-03-28 02:50:22 AEDT

Attached patch. This patch does the following:

 - adds a boolean argument to do_pam_authenticate(), "can_age_pw_here"
 - do_pam_authenticate() always calls pam_acct_mgmt() and saves the result
 - do_pam_authenticate() calls pam_chauthtok()
   IFF (can_age_pw_here && pam_acct_mgmt() == PAM_NEW_AUTHTOK_REQD)
 - auth2_pam() calls do_pam_authenticate(0, 1) to allow password aging
   during keyboard-interactive authentication

Cheers,

Nico

Comment 3 Nicolas Williams 2002-03-28 05:00:15 AEDT

The patch I attached earlier fixes the pbug wfor keyboard-interactive userauth.

For password userauth I think OpenSSH should either support
SSH_MSG_USERAUTH_PASSWD_CHANGEREQ or not even try password aging over the TTY
session as it does now.

Implementing password aging over the tty session is a *security bug* if the
underlying password validation mechanism is Kerberos (e.g., via PAM_KRB5)
because Kerberos cannot authenticate a user whose password is expired, yet by
the time the TTY session is setup the server considers the user to be
authenticated and then client is free to open any channels it wants.

Cheers,

Nico

Comment 4 Nicolas Williams 2002-03-28 07:27:45 AEDT

Created attachment 56 [details]
Second version of previous patch - also disables password aging in password userauth

Comment 5 Damien Miller 2002-04-23 23:38:56 AEST

The PAM privsep changes will have broken this patch - can you remake it against
-current?

Comment 6 Kevin Steves 2002-06-04 05:46:41 AEST

20020426
 - (djm) Disable PAM password expiry until a complete fix for bug #188 
   exists

Comment 7 Kevin Steves 2002-07-18 15:46:43 AEST

*** Bug 256 has been marked as a duplicate of this bug. ***

Comment 8 Kevin Steves 2002-08-30 07:08:16 AEST

*** Bug 362 has been marked as a duplicate of this bug. ***

Comment 9 Damien Miller 2003-05-14 22:32:19 AEST

This patch has bitrotted with the introduction of the new PAM code. Discussion
of password expiry handling is ongoing in bug #423 and bug #14

Comment 10 Frank Cusack 2003-05-15 06:59:10 AEST

Can you clarify on whether the PATCH is just bitrotted or whether this
has actually been fixed with newpam?  If not fixed, can we re-open this
bug and just declare the patch obsolete?

Comment 11 Damien Miller 2003-05-15 09:00:39 AEST

I am repeating myself: the patch is bitrotted and the password change
discussions are now happening in the other bugs.

Comment 12 Damien Miller 2004-04-14 12:24:18 AEST

Mass change of RESOLVED bugs to CLOSED