On 27.1.2016 12:16, Tomas Mraz wrote:
On St, 2016-01-27 at 11:14 +0100, Thorsten Kukuk wrote:
> Hi,
>
> On Tue, Jan 26, Tomas Mraz wrote:
>
>> Hello,
>>
>> OpenSSH sshd calls (correctly) pam_acct_mgmt even for
>> authentication
>> methods that do not involve user passwords. The attached patch
>> allows
>> pam_unix to optionally ignore the password expiration. What do you
>> think about it? Would it be OK to commit if I provide also
>> documentation of the no_pass_expiry option?
>
> I have no problem with the patch, but I think if the password
> expiration should be ignored, they should not set it, openssh
> should not call it or the admin should not configure it ...
>
They might use both password authentication - for console login for
example - and public key auth.
In my opinion the most correct place to fix this is openssh - it should
ignore these return values from pam_acct_mgmt if pam_authenticate()
call is not the source of the successful authentication. I will try to
push the change this way.
Here is another attempt at the patch. Actually sshd is not the only
place where it makes sense to 'configurably' ignore the password
expiration if pam_unix was not used for authentication. Another place
can be crond - why disable cron jobs just because password expired for
example. The new patch ignores the password expiration only in case
pam_unix did not return PAM_SUCCESS in auth and of course it still
requires the no_pass_expiry option to be set.
What do you think about it?
Tomas Mraz