Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. OpenSSH>
  3. Bugs
[Bug 869] Password expiration does not work for LDAP users
bugzilla-daemon at mindrot
May 17, 2004, 2:40 PM
Post #1 of 9 (482 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=869

Summary: Password expiration does not work for LDAP users
Product: Portable OpenSSH
Version: -current
Platform: PPC
OS/Version: AIX
Status: NEW
Severity: critical
Priority: P2
Component: Miscellaneous
AssignedTo: openssh-bugs@mindrot.org
ReportedBy: gokoyev@us.ibm.com


There appears to be a problem with SSH on AIX 5.1 on systems running secldap
client (secldapclntd): ssh ignores the maxage attribute specified for the
SYSTEM=LDAP users in the ldap directory. Instead ssh is looking for the maxage
attribute in the /etc/security/user and the 'lastupdate' in the
/etc/security/passwd. If the default stanza in the /etc/security/user does not
contain maxage the LDAP user never gets a prompt to change the expired password.
If the default stanza does contain the maxage then the user always (even after
changing the password successfully) gets prompted to change the password (LDAP
users do not have stanzas in the /etc/security/passwd with the lastupdate
attribute).



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 869] Password expiration does not work for LDAP users [ In reply to ]
bugzilla-daemon at mindrot
May 17, 2004, 3:17 PM
Post #2 of 9 (480 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=869





------- Additional Comments From dtucker@zip.com.au 2004-05-18 09:17 -------
All sshd does is call the system-supplied functions (setauthdb, passwdexpired),
it doesn't go looking into /etc/security itself. Does telnetd do what you expect?



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 869] Password expiration does not work for LDAP users [ In reply to ]
bugzilla-daemon at mindrot
May 17, 2004, 7:21 PM
Post #3 of 9 (481 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=869





------- Additional Comments From vg@evasik.com 2004-05-18 13:21 -------
Thanks for fast response. telnetd does prompt for password change. I will test
passwdexpired function to see if it returns 0 as soon as I get back in the
office; it seems it's looking at wrong registry. Also if set the UseLogin to
yes sshd appears to work fine (I wonder if the 'login' uses passwdexpired or
something else like loginrestrictions?).



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 869] Password expiration does not work for LDAP users [ In reply to ]
bugzilla-daemon at mindrot
May 17, 2004, 7:37 PM
Post #4 of 9 (481 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=869

dtucker@zip.com.au changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED



------- Additional Comments From dtucker@zip.com.au 2004-05-18 13:37 -------
If you run the server in debug mode ("/path/to/sshd -ddd") you can see what
arguments are given to setauthdb and what the results of passwdexpired are.
Most of the AIX-specific code (including those bits) is in
openbsd-compat/port-aix.c.

Logging in via telnet is going to exec /usr/bin/login anyway, so it's not
surprising that sshd with UseLogin works. What we need to figure out is what
login is does differently in this case...



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 869] Password expiration does not work for LDAP users [ In reply to ]
bugzilla-daemon at mindrot
May 17, 2004, 8:08 PM
Post #5 of 9 (479 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=869





------- Additional Comments From dtucker@zip.com.au 2004-05-18 14:08 -------
Oh, and please attach the debug output from the server to this bug (use "Create
a New Attachment").



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 869] Password expiration does not work for LDAP users [ In reply to ]
bugzilla-daemon at mindrot
May 18, 2004, 6:19 AM
Post #6 of 9 (481 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=869





------- Additional Comments From gokoyev@us.ibm.com 2004-05-19 00:19 -------
Created an attachment (id=637)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=637&action=view)
Debug output from sshd -ddd

passwdexpired is returning 1 for a password that is only 4 days old; maxage set
to 13 weeks?!



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 869] Password expiration does not work for LDAP users [ In reply to ]
bugzilla-daemon at mindrot
May 18, 2004, 7:10 AM
Post #7 of 9 (480 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=869

dtucker@zip.com.au changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution| |INVALID
Version|-current |3.7.1p2



------- Additional Comments From dtucker@zip.com.au 2004-05-19 01:10 -------
From the debugging:
debug1: match: OpenSSH_3.7.1p2-pwexp26_krb5 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.7.1p2-pwexp26_krb5
debug1: Failed dlopen: /usr/krb5/lib/libkrb5.a(libkrb5.a.so): A file or
directory in the path name does not exist.

That looks like the IBM-supplied package (which is modified). It's not the
software as supplied by the OpenSSH team. (It's not the version you put in the
bug report either). You need to open a PMR against the IBM OpenSSH package.
Feel free to reopen this bug if you can reproduce the error with the vanilla
3.8.1p1 source distribution.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 869] Password expiration does not work for LDAP users [ In reply to ]
bugzilla-daemon at mindrot
May 18, 2004, 7:11 AM
Post #8 of 9 (480 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=869





------- Additional Comments From gokoyev@us.ibm.com 2004-05-19 01:11 -------
Created an attachment (id=638)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=638&action=view)
test of passwdexpired() alone

the attached program returns this:

password not expired
passwdexpired() returened 0

if I set time forward 13 weeks it returnes this:

# /tmp/p
password expired
passwdexpired() returened 1

Does this mean that aix_setauthdb is not setting the registry correctly?
regards Vasiliy



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 869] Password expiration does not work for LDAP users [ In reply to ]
bugzilla-daemon at mindrot
May 18, 2004, 8:51 AM
Post #9 of 9 (482 views)
Permalink
http://bugzilla.mindrot.org/show_bug.cgi?id=869

gokoyev@us.ibm.com changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |VERIFIED
Version|3.7.1p2 |-current



------- Additional Comments From gokoyev@us.ibm.com 2004-05-19 02:51 -------
Just recompiled 3.8.1p1 and the issue does not exist. Thank you for your help.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal