RE: Support for RFC4252 in sshd with PAM

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hi

 

I'm trying to integration a Java application using SSHJ
<https://github.com/hierynomus/sshj>  client-side - into OpenSSH 7.4.  This
is fine, except where I get to a password expiry situation.

 

Looking at RFC4252 <https://www.ietf.org/rfc/rfc4252.txt>  (which is
supported by SSHJ) I don't see any SSH_MSG_USERAUTH_PASSWD_CHANGEREQ [60]
messages getting passed from OpenSSH.  SSHJ expects these to allow prompting
for new password.

 

The only references to SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ in the OpenSSH
Portable code are in "sshconnect2.c" - which I believe is client-side.  

 

So is RFC4252 supported for sshd (server-side) ?

 

I have compiled OpenSSH Portable
<https://github.com/openssh/openssh-portable>  (v 7.8)  on Centos 7 (using
PAM) and got into debug mode 

 

In sshd_config I have 

 

UsePAM yes

PasswordAuthentication yes

ChallengeResponseAuthentication no

AuthenticationMethods password

 

I can see two phases where authentication is applied - the first.

 

debug3: mm_request_receive entering

debug1: do_pam_account: called

debug2: do_pam_account: auth information in SSH_AUTH_INFO_0

debug3: PAM: sshpam_passwd_conv called with 1 messages

debug3: PAM: do_pam_account pam_acct_mgmt = 12 (Authentication token is no
longer valid; new one required)

debug3: sshpam_password_change_required 1

debug3: mm_request_send entering: type 103

Accepted password for dhubbard2 from 192.168.13.1 port 50263 ssh2

debug1: monitor_child_preauth: dhubbard2 has been authenticated by
privileged process

debug3: mm_get_keystate: Waiting for new keys

debug3: mm_request_receive_expect entering: type 26

debug3: mm_request_receive entering

debug3: mm_get_keystate: GOT new keys

debug3: mm_auth_password: user authenticated [preauth]

 

However all I can see from the "password_change_required" is code in
auth-pam.c to set the auth token to PAM_CHANGE_EXPIRED_AUTHTOK, but no
RFC4252 style communication.

 

Then later.

 

debug2: ## DH: userauth_finish [preauth]

debug3: auth2_update_methods_lists: updating methods list after "password"
[preauth]

debug2: authentication methods list 0 complete [preauth]

debug2: ## DH: about to do_pam_account [preauth]

debug3: mm_do_pam_account entering [preauth]

debug3: mm_request_send entering: type 102 [preauth]

debug3: mm_request_receive_expect entering: type 103 [preauth]

debug3: mm_request_receive entering [preauth]

debug3: mm_do_pam_account returning 1 [preauth]

debug2: ## DH: done do_pam_account - no message [preauth]

debug3: send packet: type 52 [preauth]

 

i.e. no recognition of the expiry and no comms.

 

Am I missing something - like a config setting?  

 

Thanks in advance

David

 

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux