On Fri, 2016-04-22 at 21:48 +0800, Matt Johnston wrote: > Hi Joakim, > > Does this work for changing passwords? I'm not entirely clear on what > pam_chauthtok() does, but if it tries
Yes, it is about changing passwd. pam_chauthtok() is the pam function that does that. However, I decided to take a crack at it myself and just got it to work :) I need to cleanup and get some testing but I hope I can offer up a patch soon. Meanwhile, dropbear requires that the user must exist before authentication and that bites us as in some cases the user is created during pam_authenticate() in our systems. Is this something you would be willing to change in dropbear? Jocke > a PAM conversation with the user it won't work - Dropbear's PAM password > login is a bit of a hack to just > reply with the given password. (There's a branch > https://secure.ucc.asn.au/hg/dropbear/shortlog/696205e3dc99 > to handle it properly, but that needs some attention before merging) I will have a look at this too. > > I might be missing something though. I'll try to look further next week. > > Cheers, > Matt > > > > > On Fri 22/4/2016, at 1:30 pm, Joakim Tjernlund > > <[email protected]> wrote: > > > > On Tue, 2016-04-19 at 12:59 +0200, Joakim Tjernlund wrote: > > > > > > Just had a look at adding support for PAM_NEW_AUTHTOK_REQ in dropbear > > > like so: > > > --- a/svr-authpam.c > > > +++ b/svr-authpam.c > > > - if ((rc = pam_acct_mgmt(pamHandlep, 0)) != PAM_SUCCESS) { > > > + rc = pam_acct_mgmt(pamHandlep, 0); > > > + if (rc == PAM_NEW_AUTHTOK_REQD) { > > > + rc = pam_chauthtok(pamHandlep, > > > PAM_CHANGE_EXPIRED_AUTHTOK); > > > + } > > > + if (rc != PAM_SUCCESS) { > > > > > > This is of course not enough and I wonder if upstream dropbear would be > > > interested in adding support for PAM_NEW_AUTHTOK_REQ? > > > > > > Jocke > > Ping ? > > > > PAM_NEW_AUTHTOK_REQ is needed to support passwd expiration, that is, > > forcing the > > user to change passwd at first login/or passwd to old. > > > > Jocke
