Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. OpenSSH>
  3. Bugs
[Bug 2049] Request for a configurable option for SFTP to display login information to the user after a successful login.
bugzilla-daemon at mindrot
Nov 18, 2020, 8:14 PM
Post #1 of 3 (57 views)
Permalink
https://bugzilla.mindrot.org/show_bug.cgi?id=2049

Michael Watters <wattersm@watters.ws> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |wattersm@watters.ws

--- Comment #9 from Michael Watters <wattersm@watters.ws> ---
Not sure if this is related but I'm now seeing password expiration
warnings when logging in as a user which does not have a password
expiration date set.

For example:

[root@f33 test_keys]# ssh -i id_rsa user1@localhost hostname 2>&1
Warning: your password will expire in 32766 days.

This account is an LDAP user which is defined using the rfc2307bis
schema.

Also, this message does not appear when logging in to a server running
OpenSSH 8.3 on Fedora 32. I have checked the sshd_config and pam.d
configuration on both systems which shows no difference at all.

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2049] Request for a configurable option for SFTP to display login information to the user after a successful login. [ In reply to ]
bugzilla-daemon at mindrot
Nov 18, 2020, 11:52 PM
Post #2 of 3 (56 views)
Permalink
https://bugzilla.mindrot.org/show_bug.cgi?id=2049

--- Comment #10 from Darren Tucker <dtucker@dtucker.net> ---
(In reply to Michael Watters from comment #9)
> [root@f33 test_keys]# ssh -i id_rsa user1@localhost hostname 2>&1
> Warning: your password will expire in 32766 days.

That sounds like one of the PAM stacks is returning that message, but
previously not in a way sshd would send to the client. You can check
this with my pam-test-harness tool:

$ wget https://www.dtucker.net/patches/pam-test-harness.c
$ cc -o pam-test-harness pam-test-harness.c -lpam
$ sudo ./pam-test-harness -s sshd -u $LOGNAME

which will give output something like:

$Id: pam-test-harness.c,v 1.35 2020/11/19 07:36:45 dtucker Exp $
conversation struct {conv=0x4017cd, appdata_ptr=0x405210}
pam_start(sshd, dtucker, &conv, &pamh) = 0 (Success)
pam_get_item(pamh, PAM_SERVICE, ...) = 0 (Success)
PAM_SERVICE = sshd (unchanged)
pam_set_item(pamh, PAM_TTY, "/dev/pts/6") = 0 (Success)
pam_set_item(pamh, PAM_RHOST, "[...]) = 0 (Success)
getlogin returned NULL (No such device or address) , skipping PAM_RUSER
pam_authenticate(pamh, 0x0)
conversation called with 1 messages data 0x405210
PROMPT_ECHO_OFF: Password: = 0 (Success)
pam_acct_mgmt(pamh, 0x0) = 0 (Success)
pam_open_session(pamh, 0x0) = 0 (Success)
pam_setcred(pamh, 0x0) = 0 (Success)
pam_get_item(pamh, PAM_SERVICE, ...) = 0 (Success)
PAM_SERVICE = sshd (unchanged)
pam_get_item(pamh, PAM_USER, ...) = 0 (Success)
PAM_USER = dtucker (unchanged)
pam_get_item(pamh, PAM_TTY, ...) = 0 (Success)
PAM_TTY = /dev/pts/6 (unchanged)
Standard environment variables:
PAM environment variables:
[...]
uid 0 euid 0 gid 0 egid 0
pam_close_session(pamh, 0) = 0 (Success)
pam_end(pamh, 0) = 0 (Success)

Does that also output the expiry warning and if so, after which pam
call?

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2049] Request for a configurable option for SFTP to display login information to the user after a successful login. [ In reply to ]
bugzilla-daemon at mindrot
Nov 19, 2020, 2:46 PM
Post #3 of 3 (55 views)
Permalink
https://bugzilla.mindrot.org/show_bug.cgi?id=2049

--- Comment #11 from Michael Watters <wattersm@watters.ws> ---
Thanks for the response. It looks like the problem was that the user
did not have a password set in our LDAP database. I reset the password
for the user and the warning message is no longer being displayed.
Previously the password contained a null value which may be causing
some issues in PAM.

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal