Rick Greene wrote:
> User is set up with /sbin/nologin as the shell
..
> what I'm thinking is it should be possible to change the order of things
> such that, if PAM returns that password change required flag, the login
> process could initiate the password change process *before* going into
> the chroot environment for the user.
It looks like that would work, since the passwd command to change the
password is executed directly by sshd, without using the user's shell.
You could try the untested patch I've attached if you like.
But there may still be concerns about so much processing going on before
the configured chroot takes effect. I would have to think long about
such a change before I'd enable it on my systems.
//Peter
diff --git a/session.c b/session.c
index e63fc47..860ec0e 100644
--- a/session.c
+++ b/session.c
@@ -1531,6 +1531,14 @@ do_child(struct ssh *ssh, Session *s, const char *command)
/* Force a password change */
if (s->authctxt->force_pwchange) {
+ /* Trick do_setusercontext() to skip chroot */
+ if (options.chroot_directory != NULL &&
+ strcasecmp(options.chroot_directory, "none") != 0) {
+ free(options.chroot_directory);
+ options.chroot_directory = NULL;
+ in_chroot = 1;
+ }
+
do_setusercontext(pw);
child_close_fds(ssh);
do_pwchange(s);
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
