10:31 a.m.
Hello,
OpenSSH sshd calls (correctly) pam_acct_mgmt even for authentication
methods that do not involve user passwords. The attached patch allows
pam_unix to optionally ignore the password expiration. What do you
think about it? Would it be OK to commit if I provide also
documentation of the no_pass_expiry option?
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
(You'll never know whether the road is wrong though.)
4:14 a.m.
New subject: Add option to ignore password expiration in pam_unix
Hi,
On Tue, Jan 26, Tomas Mraz wrote:
Hello,
OpenSSH sshd calls (correctly) pam_acct_mgmt even for authentication
methods that do not involve user passwords. The attached patch allows
pam_unix to optionally ignore the password expiration. What do you
think about it? Would it be OK to commit if I provide also
documentation of the no_pass_expiry option?
I have no problem with the patch, but I think if the password
expiration should be ignored, they should not set it, openssh
should not call it or the admin should not configure it ...
Thorsten
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
(You'll never know whether the road is wrong though.)
diff --git a/modules/pam_unix/pam_unix_acct.c
b/modules/pam_unix/pam_unix_acct.c
index 2799845..d9cf811 100644
--- a/modules/pam_unix/pam_unix_acct.c
+++ b/modules/pam_unix/pam_unix_acct.c
@@ -235,6 +235,11 @@ pam_sm_acct_mgmt(pam_handle_t *pamh, int flags, int argc, const char
**argv)
} else
retval = check_shadow_expiry(pamh, spent, &daysleft);
+ if (on(UNIX_NO_PASS_EXPIRY, ctrl) &&
+ (retval == PAM_NEW_AUTHTOK_REQD || retval == PAM_AUTHTOK_EXPIRED)) {
+ retval = PAM_SUCCESS;
+ }
+
switch (retval) {
case PAM_ACCT_EXPIRED:
pam_syslog(pamh, LOG_NOTICE,
diff --git a/modules/pam_unix/support.h b/modules/pam_unix/support.h
index 3729ce0..b9b1b1f 100644
--- a/modules/pam_unix/support.h
+++ b/modules/pam_unix/support.h
@@ -98,9 +98,10 @@ typedef struct {
#define UNIX_BLOWFISH_PASS 26 /* new password hashes will use blowfish */
#define UNIX_MIN_PASS_LEN 27 /* min length for password */
#define UNIX_QUIET 28 /* Don't print informational messages */
-#define UNIX_DES 29 /* DES, default */
+#define UNIX_NO_PASS_EXPIRY 29 /* Don't check for password expiration */
+#define UNIX_DES 30 /* DES, default */
/* -------------- */
-#define UNIX_CTRLS_ 30 /* number of ctrl arguments defined */
+#define UNIX_CTRLS_ 31 /* number of ctrl arguments defined */
#define
UNIX_DES_CRYPT(ctrl) (off(UNIX_MD5_PASS,ctrl)&&off(UNIX_BIGCRYPT,ctrl)&&off(UNIX_SHA256_PASS,ctrl)&&off(UNIX_SHA512_PASS,ctrl)&&off(UNIX_BLOWFISH_PASS,ctrl))
@@ -138,6 +139,7 @@ static const UNIX_Ctrls unix_args[UNIX_CTRLS_] =
/* UNIX_BLOWFISH_PASS */ {"blowfish", _ALL_ON_^(0260420000), 0200000000,
1},
/* UNIX_MIN_PASS_LEN */ {"minlen=", _ALL_ON_, 0400000000, 0},
/* UNIX_QUIET */ {"quiet", _ALL_ON_, 01000000000,
0},
+/* UNIX_NO_PASS_EXPIRY */ {"no_pass_expiry", _ALL_ON_, 02000000000,
0},
/* UNIX_DES */ {"des", _ALL_ON_^(0260420000), 0,
1},
};
_______________________________________________
Pam-developers mailing list
pam-developers(a)lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/pam-developers@lists.fedorahos...
--
Thorsten Kukuk, Senior Architect SLES & Common Code Base
SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany
GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)
5:16 a.m.
New subject: Add option to ignore password expiration in pam_unix
On St, 2016-01-27 at 11:14 +0100, Thorsten Kukuk wrote:
Hi,
On Tue, Jan 26, Tomas Mraz wrote:
> Hello,
>
> OpenSSH sshd calls (correctly) pam_acct_mgmt even for
> authentication
> methods that do not involve user passwords. The attached patch
> allows
> pam_unix to optionally ignore the password expiration. What do you
> think about it? Would it be OK to commit if I provide also
> documentation of the no_pass_expiry option?
I have no problem with the patch, but I think if the password
expiration should be ignored, they should not set it, openssh
should not call it or the admin should not configure it ...
They might use both password authentication - for console login for
example - and public key auth.
In my opinion the most correct place to fix this is openssh - it should
ignore these return values from pam_acct_mgmt if pam_authenticate()
call is not the source of the successful authentication. I will try to
push the change this way.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
(You'll never know whether the road is wrong though.)
11:27 a.m.
New subject: Add option to ignore password expiration in pam_unix
On 27.1.2016 12:16, Tomas Mraz wrote:
On St, 2016-01-27 at 11:14 +0100, Thorsten Kukuk wrote:
> Hi,
>
> On Tue, Jan 26, Tomas Mraz wrote:
>
>> Hello,
>>
>> OpenSSH sshd calls (correctly) pam_acct_mgmt even for
>> authentication
>> methods that do not involve user passwords. The attached patch
>> allows
>> pam_unix to optionally ignore the password expiration. What do you
>> think about it? Would it be OK to commit if I provide also
>> documentation of the no_pass_expiry option?
>
> I have no problem with the patch, but I think if the password
> expiration should be ignored, they should not set it, openssh
> should not call it or the admin should not configure it ...
>
They might use both password authentication - for console login for
example - and public key auth.
In my opinion the most correct place to fix this is openssh - it should
ignore these return values from pam_acct_mgmt if pam_authenticate()
call is not the source of the successful authentication. I will try to
push the change this way.
Here is another attempt at the patch. Actually sshd is not the only
place where it makes sense to 'configurably' ignore the password
expiration if pam_unix was not used for authentication. Another place
can be crond - why disable cron jobs just because password expired for
example. The new patch ignores the password expiration only in case
pam_unix did not return PAM_SUCCESS in auth and of course it still
requires the no_pass_expiry option to be set.
What do you think about it?
Tomas Mraz
3:33 a.m.
New subject: Add option to ignore password expiration in pam_unix
On Čt, 2016-02-11 at 18:27 +0100, Tomas Mraz wrote:
On 27.1.2016 12:16, Tomas Mraz wrote:
> On St, 2016-01-27 at 11:14 +0100, Thorsten Kukuk wrote:
> > Hi,
> >
> > On Tue, Jan 26, Tomas Mraz wrote:
> >
> > > Hello,
> > >
> > > OpenSSH sshd calls (correctly) pam_acct_mgmt even for
> > > authentication
> > > methods that do not involve user passwords. The attached patch
> > > allows
> > > pam_unix to optionally ignore the password expiration. What do
> > > you
> > > think about it? Would it be OK to commit if I provide also
> > > documentation of the no_pass_expiry option?
> >
> > I have no problem with the patch, but I think if the password
> > expiration should be ignored, they should not set it, openssh
> > should not call it or the admin should not configure it ...
> >
>
> They might use both password authentication - for console login for
> example - and public key auth.
>
> In my opinion the most correct place to fix this is openssh - it
> should
> ignore these return values from pam_acct_mgmt if pam_authenticate()
> call is not the source of the successful authentication. I will try
> to
> push the change this way.
Here is another attempt at the patch. Actually sshd is not the only
place where it makes sense to 'configurably' ignore the password
expiration if pam_unix was not used for authentication. Another
place
can be crond - why disable cron jobs just because password expired
for
example. The new patch ignores the password expiration only in case
pam_unix did not return PAM_SUCCESS in auth and of course it still
requires the no_pass_expiry option to be set.
What do you think about it?
Ping? Any ideas? Patch review? I'd say this could be useful albeit
slightly obscure feature.
--
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
Turkish proverb
(You'll never know whether the road is wrong though.)
3:41 a.m.
New subject: Add option to ignore password expiration in pam_unix
On Wed, Feb 17, Tomas Mraz wrote:
Ping? Any ideas? Patch review? I'd say this could be useful
albeit
slightly obscure feature.
As I already wrote for the first patch: I still think it's not the
right way to go, but I'm fine with the patch.
Thorsten
--
Thorsten Kukuk, Senior Architect SLES & Common Code Base
SUSE LINUX GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany
GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)
2985
days inactive
3007
days old
pam-developers@lists.fedorahosted.org
5 comments
2 participants
participants (2)
-
Thorsten Kukuk -
Tomas Mraz