Bug 1241 - Connections to Tru64 hosts hang when password is expired.
Summary: Connections to Tru64 hosts hang when password is expired.
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: sshd (show other bugs)
Version: 5.1p1
Hardware: Alpha OSF/1
: P2 normal
Assignee: OpenSSH Bugzilla mailing list
URL:
Keywords: patch
Depends on:
Blocks: V_5_3
  Show dependency treegraph
 
Reported: 2006-10-03 03:04 AEST by R. Scott Bailey
Modified: 2009-10-06 15:03 AEDT (History)
2 users (show)

See Also:

Attachments
Add password expiration checking to auth-sia.c (1.69 KB, patch)
2006-10-03 03:05 AEST, R. Scott Bailey 		dtucker: ok?
Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description R. Scott Bailey 2006-10-03 03:04:18 AEST 
This is a longstanding bug which I believe is present in all 4.x releases. When connecting to a Tru64 system where sshd was built with --with-osfsia and the user's password is expired, the connect succeeds but the session hangs (until the user disconnects with "~."). This has the effect of locking users completely out of the system unless they always change their passwords before they expire, or there is an alternate access path (such as telnet) to work around the problem.

The attached patch corrects this issue for password-based authentication by checking the password status and setting force_pwchange when appropriate.

Other authentication methods (including my favorite, public-key-based) are still screwed up because I couldn't figure out where to hook in the password check. :-p

I hope this patch, or better yet an improved more comprehensive version, will be included in future releases.

Thanks for an indispensible utility,
Scott
Comment 1 R. Scott Bailey 2006-10-03 03:05:16 AEST 
Created attachment 1194 [details]
Add password expiration checking to auth-sia.c
Comment 2 Darren Tucker 2007-12-31 23:44:12 AEDT 
This looks reasonable, however I have no way of testing it.  I'm adding it to the list for 4.8 and hoping someone with SIA-enabled Tru64 box can test it.

Regarding pubic-key authentication: currently password expiration is only checked for password authentication (although there are some corner cases for, eg, PAM).  If the session doesn't work in that case, it would be nicer to provide a nice message and disconnect.
Comment 3 Darren Tucker 2008-03-12 21:54:25 AEDT 
Comment on attachment 1194 [details]
Add password expiration checking to auth-sia.c

As I said, this looks fine but I can't test it.  Can anyone test?

I'm leaning toward applying the patch so it can be tested in snaps.
Comment 4 Darren Tucker 2008-06-13 11:14:26 AEST 
Thank, this has been applied and will be in the 5.1 release.
Comment 5 Damien Miller 2008-07-22 12:12:06 AEST 
Mass update RESOLVED->CLOSED after release of openssh-5.1
Comment 6 Chris Adams 2008-08-02 13:22:56 AEST 
This patch breaks password-based logins on my Tru64 5.1B systems and should be reverted.

The patch should be unnecessary; on my systems, if I attempt to log in (with either password or public key authentication) to an account with an expired password, I am properly prompted to change the password.  This is all handled by the SIA session routines.
Comment 7 Darren Tucker 2009-07-31 10:12:10 AEST 
OK, well we'll roll this back for 5.3 but please figure out amongst yourselves the right way to do this.
Comment 8 Darren Tucker 2009-08-28 10:19:10 AEST 
I have rolled the change back for 5.3p1.  Please figure it what should be changed to make both of your configurations work then let us know.
Comment 9 Damien Miller 2009-10-06 15:03:09 AEDT 
Mass move of RESOLVED bugs to CLOSED now that 5.3 is out.