Thayne Harbaugh <[EMAIL PROTECTED]> writes:
> lsh doesn't seem to honor any password againg set
> in /etc/shadow. I imagine that this is because lsh
> doesn't use pam (and we all know Niels opinion of that).
Can you tell me how password aging in /etc/shadow works? (I
don't use neither aging or /etc/shadow). To fix the problem, first
thing is to figure out exactly what we want. Some questions:
Should aging affect all userauth methods or only password login?
Does it make sense to use SSH_MSG_USERAUTH_PASSWD_CHANGEREQ? At least
on PAM-ified, it might be better to let the user log in and then use a
PAM-aware passwd-program to set a new password.
> I find this a serious shortcoming because an admin
> feels that they have locked-out a users with password
> againg but the user is still able to log in - this
> is a security hole.
Currently, lsh denies login (using any userauth method) for any user
whose password field (as returned by getpwnam and getspnam) is less
than two characters long. So setting the passwd filed in /etc/shadow
to "x" should lock the user out.
/Niels
