https://bugzilla.mindrot.org/show_bug.cgi?id=2796
Darren Tucker <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] --- Comment #1 from Darren Tucker <[email protected]> --- I spent a long time looking into this a long time ago (bug #14!). The SSH protocol has a mechanism for this called SSH_MSG_USERAUTH_PASSWD_CHANGEREQ (RFC 4252 section 8). Unfortunately I know of no usable standard interface that implements the required semantics. I've looked at: - PAM. pam_chauthtok() requires that it can interact directly with the user, but during PASSWD_CHANGEREQ it can't. You could potentially have a blind conversation function that responds, but it could be getting "enter new password" twice, maybe with "enter old password" before that. It could even be asking "enter message to be broadcast to all users" for all it knows. It does use this during keyboard-interactive when it can interact. - execing /bin/passwd. That's what it does when it gets to a tty and your password is still expired. - directly manipulating password files. There's lots of problems with this. While getpwent and friends provide a standard way to read them, there's no equivalent standard API for writing them. The files and their formats vary by platform (eg passwd, shadow, master.passwd and probably others), and even if you could this would not implement the system's password complexity rules. I did consider wrapping /bin/passwd somehow but that would be fragile. - some platforms-specific interfaces. The only one I recall is AIX's putuserpw() which would actually work, but I don't know of any others offhand. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
