[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
OpenSSH failing to check password and account expirations
- To: bugs@openbsd.org
- Subject: OpenSSH failing to check password and account expirations
- From: Brian Poole <raj@cerias.purdue.edu>
- Date: Tue, 29 May 2001 15:59:01 -0500
- Content-Disposition: inline
Hello,
There have been a couple of posts about this (one thread on misc@ not by
me and one on tech@ by me). I've come to the conclusion that this is wrong
and there is no justification for it since no one wants to step up and
explain why it ignores password and account expirations. If there is,
a reply would have been appreciated before now.
The problem, as noted in the subject, is that OpenSSH does not check
pw_change & pw_expire for an account after it grabs it from getpwnam.
I have written a patch to address this problem which has solved it for me.
An explanation of what the patch has changed..
- There is a bit in auth1.c which refuses the connection after it is
authenticated succesfully if either variable is expired with the approriate
message. There is an identical bit in auth2.c. There was a slight
rearrangement of if statements so that we weren't checking authenticated
4 times in consecutive if statements but rather only once in auth1.
- In order to add the above there is a small patch to misc.c so that the
needed variables (pw_change & pw_expire) are copied over to the duplicate
struct passwd as they were not previously copied.
- And to finish it off, there is a patch to session.c which prints a
warning if either variable is nearing its expiration time (which I've
modeled after login, output should be identical). This part is not quite
entirely complete in that it isn't as smooth as I would like. Since we are
not using login, it seems improper to use login_getcaptime() so at the
moment there is just a hard coded constant for testing purposes
(in this case 1 week). I would think this should either be changed to a
real constant and moved to an appropriate header, or even better adding an
option to the sshd config so the admin can set appropriate warning times
easily.
This patch adds expiration support for all SSH connections, whether
interactive or non-interactive.
Example outputs are included at the end of this message, and the patch
can be found at http://www.sote.org/openbsd/patches/patch_exp-support
If the above URL is unreachable (I'm in the process of moving, my DSL
may be disconnected today) it is also reachable at
http://www.cerias.purdue.edu/homes/rajak/openbsd/patch_exp-support
Feedback is welcome,
-b
raj@localhost's password:
Received disconnect from 127.0.0.1: 2: Password expired.
raj@localhost's password:
Warning: your password expires on Tue May 29 15:45:00 2001
Last login: Tue May 29 15:18:23 2001 from localhost
raj@localhost's password:
Received disconnect from 127.0.0.1: Account expired
raj@localhost's password:
Warning: your account expires on Tue May 29 15:48:00 2001
Last login: Tue May 29 15:46:05 2001 from localhost