Mailing List Archive

http://bugzilla.mindrot.org/show_bug.cgi?id=14

dtucker@zip.com.au changed:

What |Removed |Added
----------------------------------------------------------------------------
Attachment #5 is|0 |1
obsolete| |
Attachment #278 is|0 |1
obsolete| |



------- Additional Comments From dtucker@zip.com.au 2004-02-08 09:34 -------
Created an attachment (id=540)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=540&action=view)
Hook shadow expiry into do_pwchange

This is basically a simple move of the existing shadow password expiry check
from auth.c into a new file auth-shadow.c, plus the hook to call it from
auth-passwd.c.



------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

http://bugzilla.mindrot.org/show_bug.cgi?id=14





------- Additional Comments From dtucker@zip.com.au 2004-02-08 12:38 -------
Created an attachment (id=541)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=541&action=view)
Hook AIX password expiry into do_pwchange

This moves the AIX implementation of sys_auth_passwd to
openbsd-compat/port-aix.c and adds checking for expired passwords.



------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

http://bugzilla.mindrot.org/show_bug.cgi?id=14





------- Additional Comments From dtucker@zip.com.au 2004-02-08 12:42 -------
Should have mentioned with earlier patches: OpenSSH -current now contains
support for changing expired passwords by exec'ing /usr/bin/passwd. The
previous 2 patches will apply only to recent snapshots.



------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

http://bugzilla.mindrot.org/show_bug.cgi?id=14





------- Additional Comments From dtucker@zip.com.au 2004-02-08 14:10 -------
Created an attachment (id=542)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=542&action=view)
Hook the SSHv1 PAM password expired case into do_pwchange

Call do_pwchange for expired PAM passwords when Protocol=1 and
UsePrivilegeSeparation=yes.



------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

http://bugzilla.mindrot.org/show_bug.cgi?id=14

dtucker@zip.com.au changed:

What |Removed |Added
----------------------------------------------------------------------------
Attachment #542 is|0 |1
obsolete| |



------- Additional Comments From dtucker@zip.com.au 2004-02-10 11:33 -------
Created an attachment (id=543)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=543&action=view)
Use do_pwchange for SSHv1 password change without privsep

Also replaces sshpam_new_authtok_reqd with session->force_pwchange and removes
redundant functions from auth-pam.c.



------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

http://bugzilla.mindrot.org/show_bug.cgi?id=14





------- Additional Comments From djm@mindrot.org 2004-02-10 11:57 -------
(From update of attachment 543)
>+ if (options.use_pam && !use_privsep && s->authctxt->force_pwchange) {
>+ display_loginmsg();
> do_pam_chauthtok();
> /* XXX - signal [net] parent to enable forwardings

...

>- if (s->authctxt->force_pwchange) {
>+ if (s->authctxt->force_pwchange && !(options.use_pam && !use_privsep)) {
> do_setusercontext(pw);
> child_close_fds();
> do_pwchange(s);

What about the use_pam == 1, use_privsep == 1 and authctxt->force_pwchange == 1
case?




------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

http://bugzilla.mindrot.org/show_bug.cgi?id=14

djm@mindrot.org changed:

What |Removed |Added
----------------------------------------------------------------------------
Attachment #540| |ok
Status| |



------- Additional Comments From djm@mindrot.org 2004-02-10 12:05 -------
(From update of attachment 540)
I'm not sure we need a while auth-shadow.h for a single function - is there
anywhere else the prototype could be stashed? (even as an extern in the file
where it is used)

Otherwise OK.




------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

http://bugzilla.mindrot.org/show_bug.cgi?id=14

djm@mindrot.org changed:

What |Removed |Added
----------------------------------------------------------------------------
Attachment #541| |ok
Status| |



------- Additional Comments From djm@mindrot.org 2004-02-10 12:07 -------
(From update of attachment 541)
looks OK to me, but you are the AIX expert.




------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

http://bugzilla.mindrot.org/show_bug.cgi?id=14





------- Additional Comments From dtucker@zip.com.au 2004-02-10 12:12 -------
> What about the use_pam == 1, use_privsep == 1 and authctxt->force_pwchange == 1
case?

This one will catch that:
+ if (s->authctxt->force_pwchange && !(options.use_pam && !use_privsep))
[...] do_pwchange()

= 1 && !(1 && !1)
= 1 && !(0)
= 1 && 1

do_pam_chauthtok() should only be called for use_pam = 1 and use_privsep = 0.
The logic could possibly be clearer, though.




------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

http://bugzilla.mindrot.org/show_bug.cgi?id=14





------- Additional Comments From dtucker@zip.com.au 2004-02-10 12:16 -------
> I'm not sure we need a while auth-shadow.h for a single function

I had thought that other shadow functions would go there too, eg
auth_shadow_acctexpired(). We could put them in auth.h instead and add
auth-shadow.h should it ever be worth it.



------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

http://bugzilla.mindrot.org/show_bug.cgi?id=14





------- Additional Comments From djm@mindrot.org 2004-02-10 12:24 -------
Could it be simplified by resetting authctxt->force_pwchange after
do_pam_chauthtok()?



------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

http://bugzilla.mindrot.org/show_bug.cgi?id=14

dtucker@zip.com.au changed:

What |Removed |Added
----------------------------------------------------------------------------
Attachment #543 is|0 |1
obsolete| |



------- Additional Comments From dtucker@zip.com.au 2004-02-10 12:37 -------
Created an attachment (id=544)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=544&action=view)
Use do_pwchange for SSHv1 password change without privsep

> Could it be simplified by resetting authctxt->force_pwchange after
> do_pam_chauthtok()?

Yeah, much neater. Tidied up the extra debugs in auth-pam too.



------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

http://bugzilla.mindrot.org/show_bug.cgi?id=14

djm@mindrot.org changed:

What |Removed |Added
----------------------------------------------------------------------------
Attachment #544| |ok
Status| |



------- Additional Comments From djm@mindrot.org 2004-02-10 13:12 -------
(From update of attachment 544)
fine by me




------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

http://bugzilla.mindrot.org/show_bug.cgi?id=14

dtucker@zip.com.au changed:

What |Removed |Added
----------------------------------------------------------------------------
BugsThisDependsOn|463 |
Status|ASSIGNED |RESOLVED
Resolution| |FIXED



------- Additional Comments From dtucker@zip.com.au 2004-02-10 13:27 -------
Patches 540, 541 & 544 applied. Yeehaa....



------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.