[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

OpenSSH's {password,account} expirations

Hello all,

I added a note on this matter to one of my other emails at some
point or another, but I'm going to rehash it again here because
no one replied then and I still think it is a problem. If it isn't
a problem, I'd like to hear how this can -not- be considered a 

My problem is this, OpenSSH does not respect account nor password
expirations by default (by respect I mean it totally ignores them,
it doesn't matter if they are set and have expired). Why? 

I can only assume that this was done originally in rsh/rlogin in 
deference of non-interactive accounts which shouldn't be affected
by these and then carried over, but I can't see why we do it still, 
nor why it is the default action. 

Now agreed, I can use 'UseLogin yes' and my expirations will be heeded,
for interactive login sessions. This is OK, but one does still have to
ask why is it not default?

But wait, there is more.. even when I turn UseLogin to yes, it isn't
used all the time (as noted in the man page), so people can still 
circumvent account restrictions by using non-interactive commands
(whether they be shell commands, scp, sftp, whatever). Now, I don't know
about anyone else, but if I have set someone's account to expire on
May 1st, I don't really want them to be able to still login May 2nd,
which they still can, through a little trickery in usage of 
non-interactive commands. It isn't very hard to sftp up a bindshell
and then remotely execute it, thus bypassing the restrictions that
are there. Why do we even bother to put in such restrictions if we 
aren't going to enforce them?

Am I alone with this opinion? If it is something to be fixed I would
be glad to help, but first I want to know that it would be accepted into
the tree, which as it is still standing right now I have to assume it
wouldn't be. I would certainly appreciate feedback on the matter.

This entire bit probably applies to rsh/rlogin as well, but I'm not 
nearly as concerned about it as it isn't on by default nor used by