[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Change Password when Password Expires



On Mon, 17 Apr 2000, paul wrote:

> > > How can I setup PAM so that when a users password has expired, it prompts
> > > the user to change it.
> > > I modified the login program to do this, but that does no good when a
> > > user logs in via ssh of telnet. I figure that the best place to make the
> > > changes is in PAM.
> > > Users are slow so simply warning them to change it before it expires does
> > > no good.
> > > Any body done this before ?
> > 
> > Yep.  And I can say that ssh is b0rken.  All you can do is to force
> > ssh to exec /bin/passwd when password expires.  I don't have problem with
> > telnet as it simply executes login.
> 
> How do you do that ?

Apply these two patches to ssh 1.2.27, ssh-pam_env+expire.patch first                 
and then ssh-forced.patch.  They add ability to understand                            
PAM_NEW_AUTHTOK_REQD to ssh, and to execute normal passwd by user.                    
Works for me.                                                                         
                                                                                      
If you prefer openssh then at ftp://ftp.pld.org.pl/stable/SRPMS/ you                  
can find working src rpm.                                                             
                                                                                      
Jan                                                                                   
-- 
Jan Rękorajski            |  ALL SUSPECTS ARE GUILTY. PERIOD!
baggins<at>mimuw.edu.pl   |  OTHERWISE THEY WOULDN'T BE SUSPECTS, WOULD THEY?
BOFH, type MANIAC         |                   -- TROOPS by Kevin Rubio
diff -ur ssh-1.2.27.orig/auth-passwd.c ssh-1.2.27/auth-passwd.c
--- ssh-1.2.27.orig/auth-passwd.c	Thu Mar 30 17:36:09 2000
+++ ssh-1.2.27/auth-passwd.c	Thu Mar 30 17:49:01 2000
@@ -871,7 +871,7 @@
                                    strlen(server_user) + 2);
           snprintf(forced_command, 
                    sizeof(PASSWD_PATH) + strlen(server_user) + 2,
-                   "%.100s %.100s", PASSWD_PATH, server_user);
+                   "%.100s", PASSWD_PATH);
           packet_send_debug("Password if forced to be set at first login.");
         }
       else
diff -ur ssh-1.2.27.orig/sshd.c ssh-1.2.27/sshd.c
--- ssh-1.2.27.orig/sshd.c	Thu Mar 30 17:36:09 2000
+++ ssh-1.2.27/sshd.c	Thu Mar 30 17:49:59 2000
@@ -1830,7 +1830,7 @@
                                          strlen(user) + 2);
                 snprintf(forced_command, 
                          sizeof(PASSWD_PATH) + strlen(user) + 2,
-                         "%.100s %.100s", PASSWD_PATH, user);
+                         "%.100s", PASSWD_PATH);
               }
             else
               {
@@ -1870,7 +1870,7 @@
           {
             forced_command = xmalloc(sizeof(PASSWD_PATH) + strlen(user) + 2);
             snprintf(forced_command, sizeof(PASSWD_PATH) + strlen(user) + 2,
-                     "%.100s %.100s", PASSWD_PATH, user);
+                     "%.100s", PASSWD_PATH);
           }
         else
           {
@@ -1947,7 +1947,7 @@
                                          strlen(user) + 2);
                 snprintf(forced_command, 
                          sizeof(PASSWD_PATH) + strlen(user) + 2,
-                         "%.100s %.100s", PASSWD_PATH, user);
+                         "%.100s", PASSWD_PATH);
                 options.permit_empty_passwd = 1;
               }
             else
@@ -1988,7 +1988,7 @@
                                              strlen(user) + 2);
                     snprintf(forced_command, 
                              sizeof(PASSWD_PATH) + strlen(user) + 2,
-                             "%.100s %.100s", PASSWD_PATH, user);
+                             "%.100s", PASSWD_PATH);
                   }
                 else
                   {
@@ -4456,7 +4456,7 @@
   if (forced_passwd)
     {
       printf("You are required to change your password immediately (password expired)");
-      if (system(PASSWD_PATH" -k"))
+      if (system(PASSWD_PATH))
 	exit(1);
     }
 #endif
diff -ur ssh-1.2.27.orig/auth-passwd.c ssh-1.2.27/auth-passwd.c
--- ssh-1.2.27.orig/auth-passwd.c	Sat May 29 14:27:36 1999
+++ ssh-1.2.27/auth-passwd.c	Sat May 29 14:29:25 1999
@@ -162,6 +162,7 @@
 extern int retval;
 extern char* pampasswd;
 extern int origretval;
+extern int forced_passwd;
 #endif /* HAVE_PAM */
 #include "packet.h"
 #include "ssh.h"
@@ -750,6 +751,13 @@
        retval = pam_authenticate ((pam_handle_t *)pamh, 0);
      if (retval == PAM_SUCCESS)
        retval = pam_acct_mgmt ((pam_handle_t *)pamh, 0);
+     if (retval == PAM_NEW_AUTHTOK_REQD) {
+ 	    extern char *forced_command;
+ 
+ 	    forced_passwd = 1;
+ 	    forced_command = NULL;
+ 	    retval = PAM_SUCCESS;
+     }
      xfree(pampasswd);
    }
 #else /* HAVE_PAM */
diff -ur ssh-1.2.27.orig/sshd.c ssh-1.2.27/sshd.c
--- ssh-1.2.27.orig/sshd.c	Sat May 29 14:27:36 1999
+++ ssh-1.2.27/sshd.c	Sat May 29 14:31:11 1999
@@ -556,6 +556,7 @@
 char *pampasswd=NULL;
 int retval;
 int origretval;
+int forced_passwd = 0;
 #endif /* HAVE_PAM */
 
 /* Server configuration options. */
@@ -4412,10 +4413,53 @@
       fprintf(stderr, "\n");
     }
       
+#ifdef HAVE_PAM
+{
+  int i, j;
+  const char *const *pam_env;
+  char *tmp_pam_env;
+
+  pam_env = (const char *const *) pam_getenvlist ((pam_handle_t *) pamh);
+
+  if (pam_env != NULL)
+    {
+      tmp_pam_env = malloc (4096);
+      if (tmp_pam_env != NULL)
+	{
+	  for (i = 0; pam_env[i]; i++)
+	    {
+	      if (debug_flag)
+		fprintf (stderr, "env[%d] = %s\n", i, pam_env[i]);
+	      strncpy(tmp_pam_env, pam_env[i], 4095);
+	      tmp_pam_env[4095] = 0;
+	      j = 0;
+	      while (tmp_pam_env[j] != '=')
+		j++;
+	      tmp_pam_env[j] = 0;
+	      child_set_env (&env, &envsize, tmp_pam_env, &tmp_pam_env[j + 1]);
+	    }
+	}
+      free(tmp_pam_env);
+    }
+}
+#endif
+      
   
   /* Must take new environment into use so that .ssh/rc, /etc/sshrc and
      xauth are run in the proper environment. */
   environ = env;
+
+#ifdef HAVE_PAM
+#ifdef USELOGIN
+  if (!options.use_login)
+#endif /* USELOGIN */
+  if (forced_passwd)
+    {
+      printf("You are required to change your password immediately (password expired)");
+      if (system(PASSWD_PATH" -k"))
+	exit(1);
+    }
+#endif
 
 #ifdef HAVE_SIA
 #ifdef USELOGIN

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []