Bug 869

Summary:

Password expiration does not work for LDAP users

Product:

Portable OpenSSH

Reporter:

Vasiliy Gokoyev <gokoyev>

Component:

Miscellaneous

Assignee:

OpenSSH Bugzilla mailing list <openssh-bugs>

Status:

CLOSED INVALID

Severity:

critical

Priority:

Version:

-current

Hardware:

PPC

OS:

AIX

Attachments:

Description	Flags
Debug output from sshd -ddd	none
test of passwdexpired() alone	none

Description Vasiliy Gokoyev 2004-05-18 08:40:09 AEST

There appears to be a problem with SSH on AIX 5.1 on systems running secldap
client (secldapclntd): ssh ignores the maxage attribute specified for the
SYSTEM=LDAP users in the ldap directory.  Instead ssh is looking for the maxage
attribute in the /etc/security/user and the 'lastupdate' in the
/etc/security/passwd.  If the default stanza in the /etc/security/user does not
contain maxage the LDAP user never gets a prompt to change the expired password.
 If the default stanza does contain the maxage then the user always (even after
changing the password successfully) gets prompted to change the password (LDAP
users do not have stanzas in the /etc/security/passwd with the lastupdate
attribute).

Comment 1 Darren Tucker 2004-05-18 09:17:34 AEST

All sshd does is call the system-supplied functions (setauthdb, passwdexpired),
it doesn't go looking into /etc/security itself.  Does telnetd do what you expect?

Comment 2 Vasiliy Gokoyev 2004-05-18 13:21:36 AEST

Thanks for fast response.  telnetd does prompt for password change.  I will test
passwdexpired function to see if it returns 0 as soon as I get back in the
office; it seems it's looking at wrong registry.  Also if set the UseLogin to
yes sshd appears to work fine (I wonder if the 'login' uses passwdexpired or
something else like loginrestrictions?).

Comment 3 Darren Tucker 2004-05-18 13:37:27 AEST

If you run the server in debug mode ("/path/to/sshd -ddd") you can see what
arguments are given to setauthdb and what the results of passwdexpired are. 
Most of the AIX-specific code (including those bits) is in
openbsd-compat/port-aix.c.

Logging in via telnet is going to exec /usr/bin/login anyway, so it's not
surprising that sshd with UseLogin works.  What we need to figure out is what
login is does differently in this case...

Comment 4 Darren Tucker 2004-05-18 14:08:34 AEST

Oh, and please attach the debug output from the server to this bug (use "Create
a New Attachment").

Comment 5 Vasiliy Gokoyev 2004-05-19 00:19:31 AEST

Created attachment 637 [details]
Debug output from sshd -ddd

passwdexpired is returning 1 for a password that is only 4 days old; maxage set
to 13 weeks?!

Comment 6 Darren Tucker 2004-05-19 01:10:11 AEST

From the debugging:
debug1: match: OpenSSH_3.7.1p2-pwexp26_krb5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.7.1p2-pwexp26_krb5
debug1: Failed dlopen: /usr/krb5/lib/libkrb5.a(libkrb5.a.so): A file or
directory in the path name does not exist.

That looks like the IBM-supplied package (which is modified).  It's not the
software as supplied by the OpenSSH team.  (It's not the version you put in the
bug report either).  You need to open a PMR against the IBM OpenSSH package. 
Feel free to reopen this bug if you can reproduce the error with the vanilla
3.8.1p1 source distribution.

Comment 7 Vasiliy Gokoyev 2004-05-19 01:11:43 AEST

Created attachment 638 [details]
test of passwdexpired() alone

the attached program returns this:

password not expired
passwdexpired() returened     0

if I set time forward 13 weeks it returnes this:

# /tmp/p     
password expired
passwdexpired() returened     1

Does this mean that aix_setauthdb is not setting the registry correctly?
regards Vasiliy

Comment 8 Vasiliy Gokoyev 2004-05-19 02:51:36 AEST

Just recompiled 3.8.1p1 and the issue does not exist.  Thank you for your help.

Comment 9 Damien Miller 2010-04-16 15:50:22 AEST

Mass move of bugs RESOLVED->CLOSED following the release of openssh-5.5p1