Hello,
OpenSSH sshd calls (correctly) pam_acct_mgmt even for authentication methods that do not involve user passwords. The attached patch allows pam_unix to optionally ignore the password expiration. What do you think about it? Would it be OK to commit if I provide also documentation of the no_pass_expiry option?
Hi,
On Tue, Jan 26, Tomas Mraz wrote:
Hello,
OpenSSH sshd calls (correctly) pam_acct_mgmt even for authentication methods that do not involve user passwords. The attached patch allows pam_unix to optionally ignore the password expiration. What do you think about it? Would it be OK to commit if I provide also documentation of the no_pass_expiry option?
I have no problem with the patch, but I think if the password expiration should be ignored, they should not set it, openssh should not call it or the admin should not configure it ...
Thorsten
-- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb (You'll never know whether the road is wrong though.)
diff --git a/modules/pam_unix/pam_unix_acct.c b/modules/pam_unix/pam_unix_acct.c index 2799845..d9cf811 100644 --- a/modules/pam_unix/pam_unix_acct.c +++ b/modules/pam_unix/pam_unix_acct.c @@ -235,6 +235,11 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char **argv) } else retval = check_shadow_expiry(pamh, spent, &daysleft);
- if (on(UNIX_NO_PASS_EXPIRY, ctrl) &&
(retval == PAM_NEW_AUTHTOK_REQD || retval == PAM_AUTHTOK_EXPIRED)) {
retval = PAM_SUCCESS;
- }
- switch (retval) { case PAM_ACCT_EXPIRED: pam_syslog(pamh, LOG_NOTICE,
diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h index 3729ce0..b9b1b1f 100644 --- a/modules/pam_unix/support.h +++ b/modules/pam_unix/support.h @@ -98,9 +98,10 @@ typedef struct { #define UNIX_BLOWFISH_PASS 26 /* new password hashes will use blowfish */ #define UNIX_MIN_PASS_LEN 27 /* min length for password */ #define UNIX_QUIET 28 /* Don't print informational messages */ -#define UNIX_DES 29 /* DES, default */ +#define UNIX_NO_PASS_EXPIRY 29 /* Don't check for password expiration */ +#define UNIX_DES 30 /* DES, default */ /* -------------- */ -#define UNIX_CTRLS_ 30 /* number of ctrl arguments defined */ +#define UNIX_CTRLS_ 31 /* number of ctrl arguments defined */
#define UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl))
@@ -138,6 +139,7 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] = /* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0260420000), 0200000000, 1}, /* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000, 0}, /* UNIX_QUIET */ {"quiet", _ALL_ON_, 01000000000, 0}, +/* UNIX_NO_PASS_EXPIRY */ {"no_pass_expiry", _ALL_ON_, 02000000000, 0}, /* UNIX_DES */ {"des", _ALL_ON_^(0260420000), 0, 1}, };
Pam-developers mailing list pam-developers@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/pam-developers@lists.fedorahosted...
On St, 2016-01-27 at 11:14 +0100, Thorsten Kukuk wrote:
Hi,
On Tue, Jan 26, Tomas Mraz wrote:
Hello,
OpenSSH sshd calls (correctly) pam_acct_mgmt even for authentication methods that do not involve user passwords. The attached patch allows pam_unix to optionally ignore the password expiration. What do you think about it? Would it be OK to commit if I provide also documentation of the no_pass_expiry option?
I have no problem with the patch, but I think if the password expiration should be ignored, they should not set it, openssh should not call it or the admin should not configure it ...
They might use both password authentication - for console login for example - and public key auth.
In my opinion the most correct place to fix this is openssh - it should ignore these return values from pam_acct_mgmt if pam_authenticate() call is not the source of the successful authentication. I will try to push the change this way.
-- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb (You'll never know whether the road is wrong though.)
On 27.1.2016 12:16, Tomas Mraz wrote:
On St, 2016-01-27 at 11:14 +0100, Thorsten Kukuk wrote:
Hi,
On Tue, Jan 26, Tomas Mraz wrote:
Hello,
OpenSSH sshd calls (correctly) pam_acct_mgmt even for authentication methods that do not involve user passwords. The attached patch allows pam_unix to optionally ignore the password expiration. What do you think about it? Would it be OK to commit if I provide also documentation of the no_pass_expiry option?
I have no problem with the patch, but I think if the password expiration should be ignored, they should not set it, openssh should not call it or the admin should not configure it ...
They might use both password authentication - for console login for example - and public key auth.
In my opinion the most correct place to fix this is openssh - it should ignore these return values from pam_acct_mgmt if pam_authenticate() call is not the source of the successful authentication. I will try to push the change this way.
Here is another attempt at the patch. Actually sshd is not the only place where it makes sense to 'configurably' ignore the password expiration if pam_unix was not used for authentication. Another place can be crond - why disable cron jobs just because password expired for example. The new patch ignores the password expiration only in case pam_unix did not return PAM_SUCCESS in auth and of course it still requires the no_pass_expiry option to be set.
What do you think about it?
Tomas Mraz
On Čt, 2016-02-11 at 18:27 +0100, Tomas Mraz wrote:
On 27.1.2016 12:16, Tomas Mraz wrote:
On St, 2016-01-27 at 11:14 +0100, Thorsten Kukuk wrote:
Hi,
On Tue, Jan 26, Tomas Mraz wrote:
Hello,
OpenSSH sshd calls (correctly) pam_acct_mgmt even for authentication methods that do not involve user passwords. The attached patch allows pam_unix to optionally ignore the password expiration. What do you think about it? Would it be OK to commit if I provide also documentation of the no_pass_expiry option?
I have no problem with the patch, but I think if the password expiration should be ignored, they should not set it, openssh should not call it or the admin should not configure it ...
They might use both password authentication - for console login for example - and public key auth.
In my opinion the most correct place to fix this is openssh - it should ignore these return values from pam_acct_mgmt if pam_authenticate() call is not the source of the successful authentication. I will try to push the change this way.
Here is another attempt at the patch. Actually sshd is not the only place where it makes sense to 'configurably' ignore the password expiration if pam_unix was not used for authentication. Another place can be crond - why disable cron jobs just because password expired for example. The new patch ignores the password expiration only in case pam_unix did not return PAM_SUCCESS in auth and of course it still requires the no_pass_expiry option to be set.
What do you think about it?
Ping? Any ideas? Patch review? I'd say this could be useful albeit slightly obscure feature.
On Wed, Feb 17, Tomas Mraz wrote:
Ping? Any ideas? Patch review? I'd say this could be useful albeit slightly obscure feature.
As I already wrote for the first patch: I still think it's not the right way to go, but I'm fine with the patch.
Thorsten
pam-developers@lists.fedorahosted.org