"Niels M�ller" wrote:
>
> Thayne Harbaugh <[EMAIL PROTECTED]> writes:
>
> > lsh doesn't seem to honor any password againg set
> > in /etc/shadow. I imagine that this is because lsh
> > doesn't use pam (and we all know Niels opinion of that).
>
> Can you tell me how password aging in /etc/shadow works? (I
> don't use neither aging or /etc/shadow). To fix the problem, first
> thing is to figure out exactly what we want. Some questions:
/etc/shadow contains userids (which correlate to /etc/passwd),
encrytped passwords, and password dates/days for how often
passwords have to and can be changed, when users are warned
about their passwords needing changing, and when accounts
are forcibly expired. "man chage" and "man shadow".
> Should aging affect all userauth methods or only password login?
I'm not sure what you mean by that. I know that you can su
to a user even when the password has expired. However a user
can't login if the password is expired. Hmmm. Let me try
rsh here. Even rsh won't let me in - even with a .rhosts entry -
when the password has expired. It appears that the account is
completely dead after expiration - unless "su" is used - there
might be something I'm overlooking.
> Does it make sense to use SSH_MSG_USERAUTH_PASSWD_CHANGEREQ? At least
> on PAM-ified, it might be better to let the user log in and then use a
> PAM-aware passwd-program to set a new password.
If the account is expired the user shouldn't be allowed in at
all. The user has to bother the sysadm to enable the account.
The account aging is sometimes used to forcibly disable
an account on a specific date regardless of what the user
does to change a password.
> > I find this a serious shortcoming because an admin
> > feels that they have locked-out a users with password
> > againg but the user is still able to log in - this
> > is a security hole.
>
> Currently, lsh denies login (using any userauth method) for any user
> whose password field (as returned by getpwnam and getspnam) is less
> than two characters long. So setting the passwd filed in /etc/shadow
> to "x" should lock the user out.
The bonus about using /etc/shadow with account/password aging
is that I can setup an account that will be forcibly disbled
in n days and I can forget about it. I won't have to remeber
to login and set the password to "x" to disable the account.
The account will be automaticly disabled with no further intervention
even though it has a valid password.
Thanks for the attention.
>
> /Niels
