Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 83585
Summary: | SSH Does not conform to Password Expiration Standard | ||||||
---|---|---|---|---|---|---|---|
Product: | [Retired] Red Hat Linux | Reporter: | Sherif Abdelgawad <sabdelg> | ||||
Component: | openssh | Assignee: | Nalin Dahyabhai <nalin> | ||||
Status: | CLOSED ERRATA | QA Contact: | Brian Brock <bbrock> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 8.0 | CC: | aperez, astrand, bluth, cstankaitis, eric-bugs, mitr, pknirsch, raimondi, smann, tao, wimmer | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2004-05-12 04:23:35 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 98330, 107562 | ||||||
Attachments: |
|
Description
Sherif Abdelgawad
2003-02-05 20:20:16 UTC
it seems to be only on OpenSSH 3.4p1 This problem also exists in Redhat9 openssh-server-3.5p1-6. You will find a report for this bug in OpenSSH bugzilla as #423: "Workaround for pw change in privsep mode (3.5.p1)" (http://bugzilla.mindrot.org/show_bug.cgi?id=423) I've found this through a message from Darren Tucker (http://www.derkeiler.com/Newsgroups/comp.security.ssh/2003-01/0556.html). He also gives a patch for this bug (patch #198) that I've tested in Redhat9 openssh-server 3.5p1-6 with no success. Is there any oficial solution to this bug? This would'nt be much of a problem if password expiration worked withed PrivSep disabled, but it doesn't. Maybe the patch http://www.zip.com.au/~dtucker/openssh/openssh-3.6.1p2-passexpire20.patch helps. This is a problem in RH 9 and Severn as well. Created attachment 94503 [details]
patch to allow password expiration to work in non separated mode
I've done some looking into the attached patches for this bug, and it seems to
me that without the aforementioned helper app, getting this to work in
non-separated mode is going to take some time. In the interim, I've found that
the only reason 3.5p1 doesn't work in non-separated mode is that the case for
PAM_NEW_AUTHTOK_REQD in do_pam_account was #if 0-ed out. Anywho, the attached
patch corrects this, and after that, setting UsePrivilegeSeparation in
sshd_config to no allows password expiration to work.
tested, and this is also still an issue with RH9 openssh-3.5p1-11, fedora core 1 openssh-3.6.1p2-19 and RHEL 3 openssh-3.6.1p2-18 It has been fixed in FC2 already and an errata for RHEL3 has been issued and should be released within the next few weeks. Thanks, Read ya, Phil An errata has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2004-114.html |