Mailing List Archive

http://bugzilla.mindrot.org/show_bug.cgi?id=848





------- Additional Comments From selvesteen@netscape.net 2004-04-21 14:31 -------
Created an attachment (id=609)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=609&action=view)
server-log




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=848





------- Additional Comments From selvesteen@netscape.net 2004-04-21 14:33 -------
Created an attachment (id=610)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=610&action=view)
Client_log

sshd skips passwd change while Telnet prompts for a password change



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=848





------- Additional Comments From dtucker@zip.com.au 2004-04-21 14:59 -------
(From update of attachment 609)
[snip]
>debug3: mm_request_receive entering
>debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss
>Failed publickey for mid from 127.0.0.1 port 49365 ssh2

The server log appears incomplete, there should be a section that looks like:
debug3: monitor_read: checking request 10
debug3: auth_shadow_pwexpired: today 12529 sp_lstchg 12407 sp_max 99999

Could you please attach that.

Also, what are the shadow settings in config.h? Do "grep SHADOW config.h"
after running configure.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=848

dtucker@zip.com.au changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
Version|3.8p1 |3.8.1p1





------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=848

selvesteen@netscape.net changed:

What |Removed |Added
----------------------------------------------------------------------------
Attachment #609 is|0 |1
obsolete| |





------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=848





------- Additional Comments From selvesteen@netscape.net 2004-04-21 19:53 -------
Created an attachment (id=611)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=611&action=view)
serverlog_shadow_installed

server-log with following options
1.shadow password installed
2.usepam no




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=848





------- Additional Comments From selvesteen@netscape.net 2004-04-21 19:55 -------
Created an attachment (id=612)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=612&action=view)
serverlog_noshadow_usepamno

server log with following options
1. No shadow passwords in system
2. usepam no



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=848





------- Additional Comments From selvesteen@netscape.net 2004-04-21 19:56 -------
Created an attachment (id=613)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=613&action=view)
serverlog_noshadow_usepamyes

server-log with following options
1.No shadow passwords
2.UsePAM yes




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=848





------- Additional Comments From binder@arago.de 2004-04-21 21:21 -------
Michael, do you use password login? It seems with UsePAM=no, the
password expiry code is only used for password logins, but not when
using for example public key logins.

At least, I only find one call to auth_shadow_pwexpired, which is
in auth-passwd.c



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=848





------- Additional Comments From kumaresh_ind@gmx.net 2004-04-21 21:56 -------
Yes. It has been mentioned that the authentication used was password
authentication.

In sshd_config, the configurations are:
UsePAM no
ChallengeResponseAuthentication no
PasswordAuthentication yes

A member in the passwd structure in HP-UX decides the password aging and it
is "char pw_age". [try "man 4 passwd" on HP-UX systems for details]. This is
applicable for /etc/passwd file only.

ssh code properly checks for the expired passwords with shadow passwords, with
the field "spw->sp_expire" [function "auth_shadow_acctexpired()" in auth-
shadow.c]. Thats why it works with Shadow passwords.

So, IMHO, there has to be a check for the "pw_age" member when sshd is
configured with "UsePAM no" and if the system do not have shadow support, as
this case use /etc/passwd file.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=848





------- Additional Comments From dtucker@zip.com.au 2004-04-21 22:09 -------
Created an attachment (id=615)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=615&action=view)
Add debug for pw_age

That seems pretty much right, the only wrinkle is that "passwd -f" does not
seem to set pw_age:
debug1: passwd gNrjkysyT2/LM pw_age

while /etc/passwd looks like this:
testuser:gNrjkysyT2/LM,..:203[...]



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.