Re: Security trough paranoia
On 7 Apr 2001, Brian May wrote:
> >>>>> "Ethan" == Ethan Benson <erbenson@alaska.net> writes:
> Ethan> this might work on unstable's ssh, but the ssh in stable
> Ethan> will simply deny access if the password is expired.
> doesn't seem to be the case here, and it should be PAM not ssh:
It was an ssh bug. OpenSSH didn't provide a reasonable mechanism for
conversing with the user when the password needed to be changed, so the only
thing sshd could do when a password was expired was deny access.
I'm quite pleased at the work upstream has done in getting PAM support
integrated; although there are still some obscure glitches, they have the best
PAM support by far of any ssh daemon to date.
> snoopy:~# chage bam
> Changing the aging information for bam
> Enter the new value, or press return for the default
> Minimum Password Age [0]:
> Maximum Password Age [9999]: 2
> Last Password Change (YYYY-MM-DD) [2001-03-31]:
> Password Expiration Warning [7]:
> Password Inactive [-1]:
> Account Expiration Date (YYYY-MM-DD) [1969-12-31]:
> snoopy:~# chage bam
> Changing the aging information for bam
> Enter the new value, or press return for the default
> Minimum Password Age [0]:
> Maximum Password Age [2]:
> Last Password Change (YYYY-MM-DD) [2001-03-31]:
> Password Expiration Warning [7]:
> Password Inactive [-1]: 1
> Account Expiration Date (YYYY-MM-DD) [1969-12-31]:
So using this method, you have to manually age the passwords for all users on
your system. You also force users to /change/ their passwords; there's no
provision here for cases where you want to update the system to use more
secure password hashes, but don't want to require everyone to change their
passwords in the process. In this case, there are definite advantages to
using PAM to effect the change in hashing algorithm.
Steve Langasek
postmodern programmer
Reply to: