IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Checking for ssh implementation that uses SSH_MSG_USERAUTH_PASSWD_CHANGEREQ



Sheldon Bishov wrote:
I'm working to get a client to handle the SSH_MSG_USERAUTH_PASSWD_CHANGEREQ
message for password change on UNIX server, and am checking for implementations that support this mechanism. Have tested a few UNIX
implementations, so far none use that message, instead run passwd in a shell
context.  Am starting to check secsh mail archive also.

I did patches for OpenSSH that did this. The patch (against OpenSSH 3.5p1) is still available at the link below. It should work on AIX and platforms using /etc/shadow, but I would not recommend using it in production.

I gave up on PASSWD_CHANGEREQ after this patch. As Joseph pointed out, the interface to change a password varies wildly from system to system (and rebuilding /etc/shadow like it does seems like a nasty thing to do). The real killer, however, was that to use this for real you would also have to support every system's password complexity rules too (eg /etc/default/passwd on Solaris) and those vary even more.

http://www.zip.com.au/~dtucker/openssh/openssh-3.5p1-passexpire8.patch

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.



Home | Main Index | Thread Index | Old Index