| Summary: | sshd not handling PAM_NEW_AUTHTOK_REQD properly | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Portable OpenSSH | Reporter: | Stephen Sanders <ssanders> | ||||
| Component: | PAM support | Assignee: | Assigned to nobody <unassigned-bugs> | ||||
| Status: | CLOSED INVALID | ||||||
| Severity: | normal | ||||||
| Priority: | P2 | ||||||
| Version: | 6.0p1 | ||||||
| Hardware: | All | ||||||
| OS: | All | ||||||
| Attachments: |
|
||||||
This was a problem with the pam module that was handling password expiration. Sorry for the bother. Set all RESOLVED bugs to CLOSED with release of OpenSSH 7.1 |
Created attachment 2164 [details] Zone in auth-pam.c where issue lies. Near line 482 in auth-pam.c, sshpam_password_change_required(0) is called. This will have the effect of preventing PAM_NEW_AUTHTOK_REQD from being transmitted back to the parent process. In turn, this will prevent any password updates from occurring at login time. If one comments the line out or changes to sshpam_password_change_required(1), sshd will prompt for a new user password and process the password update as anticipated. This is used to support password expiration. The normal flow should be authenticate -> password update -> authenticate using new password. I've listed 6.0p1 but it is in all versions 5.2p1 and greater.