Bug 2018 - sshd not handling PAM_NEW_AUTHTOK_REQD properly
Summary: sshd not handling PAM_NEW_AUTHTOK_REQD properly
Status: CLOSED INVALID
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: PAM support (show other bugs)
Version: 6.0p1
Hardware: All All
: P2 normal
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-06-12 23:50 AEST by Stephen Sanders
Modified: 2015-08-11 23:03 AEST (History)
0 users

See Also:

Attachments
Zone in auth-pam.c where issue lies. (676 bytes, text/plain)
2012-06-12 23:50 AEST, Stephen Sanders 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Stephen Sanders 2012-06-12 23:50:27 AEST 
Created attachment 2164 [details]
Zone in auth-pam.c where issue lies.

Near line 482 in auth-pam.c, sshpam_password_change_required(0) is called.  This will have the effect of preventing PAM_NEW_AUTHTOK_REQD from being transmitted back to the parent process.  

In turn, this will prevent any password updates from occurring at login time.

If one comments the line out or changes to sshpam_password_change_required(1), sshd will prompt for a new user password and process the password update as anticipated.

This is used to support password expiration.  The normal flow should be authenticate -> password update -> authenticate using new password.

I've listed 6.0p1 but it is in all versions 5.2p1 and greater.
Comment 1 Stephen Sanders 2012-06-13 07:13:25 AEST 
This was a problem with the pam module that was handling password expiration.

Sorry for the bother.
Comment 2 Damien Miller 2015-08-11 23:03:23 AEST 
Set all RESOLVED bugs to CLOSED with release of OpenSSH 7.1