sshd and password expiration

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



I am facing the following situation on my Linux:
- i have my own user database for the users who log in via a web interface
- privileged users are allowed to log on to the device via ssh (pam is in use)
- these users are redirected (via nss module) to a linux user who cannot log in directly to the system
so far this is working fine.

But now I also want the user to change the password if it has expired. Therefore my PAM module returns the error code PAM_NEW_AUTHTOK_REQD in the pam_sm_acct_mgmt function. The user is then prompted to change the password. Unfortunately, the function of my pam module that I configured in /etc/pam.d/sshd is not used for the password change, but the one that was configured in /etc/pam.d/passwd.
In the source code I then saw that the passwd binary is called directly, which explains the behavior. Furthermore I saw in the source that in special cases pam_chauthtok is called.
As an experiment I made the nns redirection to the root user and set PermitRootLogin to yes in the sshd_config. Then the pam module which was configured in /etc/pam.d/sshd is called to change the password, as I would have expected in the case of the non-root user.

So I wonder why pam_chauthtok is only called in special cases (!use_privsep)?
My understanding is that this is wrong because the password statements in the sshd pam configuration have no effect.

Thanks, Martin
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux