[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security trough paranoia

On Sat, Apr 07, 2001 at 05:50:47PM +1000, Brian May wrote:
> >>>>> "Ethan" == Ethan Benson <erbenson@alaska.net> writes:
>     Ethan> this might work on unstable's ssh, but the ssh in stable
>     Ethan> will simply deny access if the password is expired.
> doesn't seem to be the case here, and it should be PAM not ssh:

ssh's pam support is somewhat broken.  

[snipped example]
> with ssh from unstable, are you sure the one from stable doesn't do
> this? (I think it is done by PAM not openssh anyway).

yes stable will give you a `Permission denied' if the password is
expired, it will not allow you to change it.  Wichert filed the
original bug a long time ago, it was marked fixed, i found it was
certainly not fixed and reopened, where it collected dust for the
better part of a year before Christian Kurz finally got it fixed (i
just remembered this happened about two months ago or so, i never
tested it).

the fix is only in OpenSSH 2 and not 1.2.3 which is in stable.  

[snipped example]
> perhaps that is what you were thinking of?

no plain password expiration, and i ensured i did it right by logging
into the console with this user and i indeed was allowed to login and
was forced to change the password, tried the same with ssh ->
Permission denied.  

your example does prove that the ssh in unstable is finally fixed, but
that does no good for stable users until this fall most likely.
unless they build the unstable ssh.  

Ethan Benson

Attachment: pgpA95WTbc60V.pgp
Description: PGP signature

Reply to: