473 – cannot update password using PAM on HP-UX system that has been tsconverted

Bug 473 - cannot update password using PAM on HP-UX system that has been tsconverted

Summary: cannot update password using PAM on HP-UX system that has been tsconverted

Status:	CLOSED DUPLICATE of bug 423

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	sshd (show other bugs)
Version:	-current
Hardware:	All HP-UX

Importance:	P2 normal
Assignee:	OpenSSH Bugzilla mailing list

URL:
Keywords:

Depends on:
Blocks:

Reported:	2003-01-25 08:44 AEDT by rusr
Modified:	2004-04-14 12:24 AEST (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description rusr 2003-01-25 08:44:30 AEDT

With OpenSSH3.1p1 using PAM, there is a problem logging in if the password is
expired and the server system has been converted to use commercial security mode
with the /etc/tsconvert command.

Problem description:
If a user has an expired password, they can not login using ssh.

When they attempt to login, the system detects the expired password and forces
the user to change it before they can complete the login. However, if you have
converted to comsec, HP's pam_unix checks the UID (must be the uid of the user
logging in) and the EUID (must be 0, aka root) before allowing the password
update to proceed. However, sshd always has UID == EUID == 0, so the password
change fails and the user is logged out, effectively locking the user out of the
 system (unless they use some other method of logging in, such as rlogin or telnet).

A possible fix for this involves passing the user's password entry from
session.c to do_pam_chauthtok(). do_pam_chauthtok() then changes the RUID to the
user's uid, call pam_chauthtok(), and changes it back after the call.

I am including some diffs of the fix as I made it - the official version may
wish to have it enclosed in #ifdef's.

diff auth-pam.h /extra/openssh-3.1p1/auth-pam.h | more
1c1
< /* $Id: auth-pam.h,v 1.3 2002/05/14 16:35:43 cvsuser Exp $ */
---
> /* $Id: auth-pam.h,v 1.11 2001/03/27 06:12:24 djm Exp $ */
18c18
< void do_pam_chauthtok(struct passwd *pw);
---
> void do_pam_chauthtok(void);

diff auth-pam.c /extra/openssh-3.1p1/auth-pam.c | more
38c38
< RCSID("$Id: auth-pam.c,v 1.3 2002/05/14 16:35:43 cvsuser Exp $");
---
> RCSID("$Id: auth-pam.c,v 1.42 2002/02/05 01:40:47 djm Exp $");
146d145
<
326c325
< void do_pam_chauthtok(struct passwd *pw)
---
> void do_pam_chauthtok(void)
329,331d327
<       uid_t current_uid;
<       uid_t current_euid;
<       int uid_set = 0;
337,340d332
<               if ((geteuid() == 0) && (current_uid = getuid()) == 0) {
<                       setreuid(pw->pw_uid, -1);
<                       uid_set = 1;
<               }
342,344d333
<               if (uid_set == 1) {
<                       setuid(0);
<               }

diff session.c /extra/openssh-3.1p1/session.c | more
718c718
<               do_pam_chauthtok(pw);
---
>               do_pam_chauthtok();

Comment 1 Darren Tucker 2003-01-25 09:20:19 AEDT

See also bug #423 attachment #198 [details] for one way to make this work with privsep 
enabled.

*** This bug has been marked as a duplicate of 423 ***

Comment 2 Damien Miller 2004-04-14 12:24:18 AEST

Mass change of RESOLVED bugs to CLOSED