[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pam_passwdqc, ssh and expired passwords

On Wed, Jun 26, 2002 at 04:09:20PM +1000, John Warburton wrote:

Hi John,

> I have installed pam_passwdqc 0.5 on my Solaris 2.8 box (latest recommended
> patches, Netra T1, Ultra SPARC II). I am testing this with openssh-3.1p1
> (yes I am configuring the latest openssh), and am having issues with
> accounts whose passwords have aged.

(BTW, the changing of expired passwords via PAM is gone with OpenSSH
3.3p1, will hopefully be re-added in future versions.)

> The config:
> /etc/pam.conf
> login   auth required   /usr/lib/security/$ISA/pam_unix.so.1
> other   auth required   /usr/lib/security/$ISA/pam_unix.so.1
> login   account requisite       /usr/lib/security/$ISA/pam_roles.so.1
> login   account required        /usr/lib/security/$ISA/pam_projects.so.1
> login   account required        /usr/lib/security/$ISA/pam_unix.so.1
> other   account requisite       /usr/lib/security/$ISA/pam_roles.so.1
> other   account required        /usr/lib/security/$ISA/pam_projects.so.1
> other   account required        /usr/lib/security/$ISA/pam_unix.so.1
> other   session required        /usr/lib/security/$ISA/pam_unix.so.1
> other   password required       /usr/lib/security/$ISA/pam_passwdqc.so
> ask_oldauthtok=update check_oldauthtok passphrase=0 max=8 enforce=users
> other   password required       /usr/lib/security/$ISA/pam_unix.so.1
> use_first_pass
> The login attempt
> johnw@singer% ssh dawkins
> *******************************************************************
> *                                                                 *
> *         This service is for authorised ASIC users only.         *
> *                                                                 *
> *******************************************************************
> johnw@dawkins's password:
> Warning: Your password has expired, please change it now
> You can now choose the new password.
> A valid password should be a mix of upper and lower case letters,
> digits and other characters.  You can use an 8 character long
> password with characters from at least 3 of these 4 classes, or
> a 7 character long password containing characters from all the
> classes.  Characters that form a common pattern are discarded by
> the check.
> Enter new password:
> Re-type new password: Connection to dawkins closed by remote host.
> Connection to dawkins closed.
> I cannot login with the changed password, but only with the old (which is
> expired)

Well, as you can see, pam_passwdqc hasn't asked for the old password
despite you specifying ask_oldauthtok as required for stacking with
Sun's pam_unix.  This is because pam_passwdqc tries to be smart and
not ask for the old password when it is running as root.  pam_unix
would probably do the same.  But we see that it fails, and the syslog
messages suggest that it does want to obtain the old password.

Are you able to change passwords with such a setup (with pam_passwdqc),
with passwd(1)?  When running as the user?  When running as root?

>From the information you've provided, I suspect that the latter will
fail in a similar way.  Although it worked for me.

If that is the case, I will be doing some more testing on Solaris 8

If, however, this turns out to be OpenSSH specific, I will be doing
the testing only after this stuff is introduced into OpenSSH again.
It doesn't make sense to deal with 3.1p1 issues now.

Thanks for the report!


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []