When pam_acct_mgmt() returns PAM_NEW_AUTHTOK_REQD pam_chauthtok() must be the next PAM function called. That is, pam_chauthtok() MUST be called before pam_open_session() and before pam_setcred(PAM_ESTABLISH_CRED). The point is: if the user's password is expired then the login process cannot proceed too far before password changing is attempted. This bug applies, or should apply, to any implementation of PAM. Thus I selected "All" for the OS to which this bug applies. Cheers, Nico
Created attachment 55 [details] Patch to do pw aging in kbd-interactive
Attached patch. This patch does the following: - adds a boolean argument to do_pam_authenticate(), "can_age_pw_here" - do_pam_authenticate() always calls pam_acct_mgmt() and saves the result - do_pam_authenticate() calls pam_chauthtok() IFF (can_age_pw_here && pam_acct_mgmt() == PAM_NEW_AUTHTOK_REQD) - auth2_pam() calls do_pam_authenticate(0, 1) to allow password aging during keyboard-interactive authentication Cheers, Nico
The patch I attached earlier fixes the pbug wfor keyboard-interactive userauth. For password userauth I think OpenSSH should either support SSH_MSG_USERAUTH_PASSWD_CHANGEREQ or not even try password aging over the TTY session as it does now. Implementing password aging over the tty session is a *security bug* if the underlying password validation mechanism is Kerberos (e.g., via PAM_KRB5) because Kerberos cannot authenticate a user whose password is expired, yet by the time the TTY session is setup the server considers the user to be authenticated and then client is free to open any channels it wants. Cheers, Nico
Created attachment 56 [details] Second version of previous patch - also disables password aging in password userauth
The PAM privsep changes will have broken this patch - can you remake it against -current?
20020426 - (djm) Disable PAM password expiry until a complete fix for bug #188 exists
*** Bug 256 has been marked as a duplicate of this bug. ***
*** Bug 362 has been marked as a duplicate of this bug. ***
This patch has bitrotted with the introduction of the new PAM code. Discussion of password expiry handling is ongoing in bug #423 and bug #14
Can you clarify on whether the PATCH is just bitrotted or whether this has actually been fixed with newpam? If not fixed, can we re-open this bug and just declare the patch obsolete?
I am repeating myself: the patch is bitrotted and the password change discussions are now happening in the other bugs.
Mass change of RESOLVED bugs to CLOSED