[prev in list] [next in list] [prev in thread] [next in thread]
List: openssh-unix-dev
Subject: Re: AIX and ADMCHG
From: Ben Lindstrom <mouring () etoh ! eviladmin ! org>
Date: 2002-07-29 22:05:01
[Download RAW message or body]
On Thu, 25 Jul 2002, Kevin Steves wrote:
> On Tue, Jul 23, 2002 at 10:57:07PM -0500, Ben Lindstrom wrote:
> > > For AIX, does the server use getuserpw() to check the ADMCHG flag
> > > before deciding to send back a SSH_MSG_USERAUTH_PASSWD_CHANGEREQ or
> > > not? After the inital exchange, on AIX, it'll need to run a newpass() with
> > > perhaps a getuserattr() for a more complete explanation of the rules
> > > should the password be too weak, before sending the
> > > SSH_MSG_USERAUTH_PASSWD_CHANGEREQ again...until finally accepting the pass
> > > with a SSH_MSG_USERAUTH_SUCCESS.
> >
> > Right now *NOTHING* is checked. Not for bsd_auth, not for pam, not for
> > aix, or not for /etc/shadow. =)
>
> This is referring to password strength checking?
>
No password expiring. I don't think it is OpenSSH's job to whine at the
user for bad passwords. It should be PAM, BSD_AUTH, etc job.
> > > Some of this may need to run in the PrivSep process. I'm assuming the
> > > PAM support code does something along the same lines...
> > >
> > > Sorry, just some random thoughts - haven't actually looked at the
> > > source. But ADMCHG was on my list of things to fix since we did the
> > > failedlogincount in #145 (btw, Darren, thanks for following up and
> > > integrating it into the source ;), but never got around to it.
> > >
> > > If we're missing this for AIX, I think we should welcome Kevin's patch
> > > ;)
> >
> > I can also start looking at this once I get comfortable with the AIX box
> > that has been loaned to me.
> >
> > However, I don't believe Kevin's patch uses ssh2 password change protocol
> > (not sure I have not seen in a few months). What ever we do should use
> > that feature of the protocol since it allows us better security.
>
> I'm not sure if this refers to me, but which patch is this?
>
You had a patch (or I swore it was you =) that either allowed v1 or v2
password change for shadowed password files. Or at least a start of a
patch.
> > Which brings up a question on should we support password change for v1?
> > I'm inclined to say no. At least handle v2 protocol first.
>
> We should support Protocol 1 for password change. PAM users should
> look at current auth-pam.c which has solar's efforts in this area.
> I think we can re-enable password change for PAM now, but there are
> some other things I need to check.
>
Still we need to look at Protocol 2. And I'm totally and utterly confused
as to where password change code should even go.
- Ben
_______________________________________________
openssh-unix-dev@mindrot.org mailing list
http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic