rumour of password aging failure in 4.7/4.8RC

2003-03-18 Thread Julian Elischer
I've received a few reports from teh field that password aging with ssh in 4.7 and 4.8RC is broken. Is there anyone out there that is using passwork expiry and ssh? Who's the expert? The method being used: Define a class called the shellusers class in the /etc/login.conf. Run cap_mkdb on the

Re: rumour of password aging failure in 4.7/4.8RC

2003-03-18 Thread Dag-Erling Smørgrav
Julian Elischer [EMAIL PROTECTED] writes: Ok so we'll have to miss 4.8. Does making it work for PAM allow it to work for ssh? I don't understand what you mean - PAM already supports password expiry and changing, so it should work for console logins at least (though to be honest I never tested

Re: rumour of password aging failure in 4.7/4.8RC

2003-03-18 Thread Dag-Erling Smørgrav
Julian Elischer [EMAIL PROTECTED] writes: The other thing they are on about is 3 tries and you are out password lockouts. /usr/src/contrib/libpam/modules/pam_tally.c is what they want. We're trying to 'resurect' it and see if it still works with 4.8. is there a similar file for the new PAM

Re: rumour of password aging failure in 4.7/4.8RC

2003-03-18 Thread Dag-Erling Smørgrav
[EMAIL PROTECTED] (Dag-Erling Smørgrav) writes: How does PAM come into this? It doesn't, really. It's a privsep problem + the fact that some of the pertinent code has been disabled and / or left unimplemented because it wouldn't work with privsep (so turning privsep off won't help). I just

Re: rumour of password aging failure in 4.7/4.8RC

2003-03-18 Thread Dag-Erling Smørgrav
Julian Elischer [EMAIL PROTECTED] writes: I've received a few reports from teh field that password aging with ssh in 4.7 and 4.8RC is broken. Recent versions of OpenSSH do not support prompting the user for a new password. I haven't tested it, but I think users with expired passwords will

Re: rumour of password aging failure in 4.7/4.8RC

2003-03-18 Thread Julian Elischer
On Tue, 18 Mar 2003, Dag-Erling [iso-8859-1] Smørgrav wrote: Julian Elischer [EMAIL PROTECTED] writes: I've received a few reports from teh field that password aging with ssh in 4.7 and 4.8RC is broken. Recent versions of OpenSSH do not support prompting the user for a new password. I

Re: rumour of password aging failure in 4.7/4.8RC

2003-03-18 Thread Dag-Erling Smørgrav
Julian Elischer [EMAIL PROTECTED] writes: So, the fix would be to go back to an old version of ssh? Yes, but you'd have to go back to a version with known remotely exploitable vulnerabilities. Since this is a problem for you and your customers, I will look into getting password changing to

Re: rumour of password aging failure in 4.7/4.8RC

2003-03-18 Thread Julian Elischer
On Tue, 18 Mar 2003, Dag-Erling [iso-8859-1] Smørgrav wrote: Julian Elischer [EMAIL PROTECTED] writes: So, the fix would be to go back to an old version of ssh? Yes, but you'd have to go back to a version with known remotely exploitable vulnerabilities. Since this is a problem for you