Re: /etc/default/passwd and SSH

From: Darren J Moffat (Darren.Moffat@Sun.COM)
Date: 01/29/02


Date: Tue, 29 Jan 2002 09:16:41 -0800
From: Darren J Moffat <Darren.Moffat@Sun.COM>
To: "Ivanov, Vladimir" <VIvanov@tee.toshiba.de>


Ivanov, Vladimir wrote:

>>I noticed that SSH inherently does not give the warnings (WARNWEEKS)
>>when the password expiration is coming up and I was wondering
>>if someone
>>has gotten this to work, or am I going to have to wait for Sun's
>>approved OpenSSH package in future Solaris releases to see
>>this feature?
>>
>
> As far as I know, these warnings are issued by login, so
> if you use UseLogin settings for sshd, this will solve this (and a few others)
> problem.

WARNWEEKS and all the other variables are defaults you must properly
setup aging on each account.

More details are in SunSolve Infodoc 16699 - a copy is attached.

As for the interaction with OpenSSH there is a bug in session.c around
line 720.

         /*
          * If password change is needed, do it now.
          * This needs to occur before the ~/.hushlogin check.
          */
         if (is_pam_password_change_required()) {
                 print_pam_messages();
                 do_pam_chauthtok();
         }

The print_pam_messages should be outside of the if statement. This code
only prints the messages if your password has already expried which
means you never get warning messages.

I'll be sending diffs to the OpenSSH people soon.

-- 
Darren J Moffat

INFODOC ID: 16699
SYNOPSIS: Description of "Password Aging"
DETAIL DESCRIPTION:

There are 3 policies implemented by the shadow file (and/or NIS+).

The format of /etc/shadow is:
        
  username:password:lastchg:min:max:warn:inactive:expire:flag

When using NIS+ the shadow field in passwd.org_dir holds:

  lastchg:min:max:warn:inactive:expire:flag

Each of the following policies is implemented using the fields in ()

Policy 1: Password Aging (lastchg, min, max, warn}
This determines when the time periods for which the users password is
active. This is set by using the min/max and warn fields. The
lastchg field refers to the date the user last updated their password.
The warn field is the number of days of warning the user gets on login
before the password actually expires -- note that the warn field and
the expire field perform very distinct functions that are in no way related.

Policy 2: Login Activity (inactive)

This determines the maximum time period a user is allowed between logins.

The intention here is for when a user is away for a long period. For
example, a user goes on holiday for 2 months and does not log in to their
system. The account should be disabled after a week so that it can not
be used while they are out of the office. Set inactivity to 7 days.

This is on a per machine basis and the information about the lastlogin
is taken from the machine's lastlog file.

Policy 3: Account Validity (expire)

The absolute date at which an account expires. There is no warning
given to the user about this.

The intention for this is for contractor/guest/temporary accounts.

Notes

The three policies are distinct and any combinatation of them can be used.

It would be nice if Policy 2 (Login Activity) could be held as a network
wide database, ideally there would be a line in /etc/nsswitch.conf so
that the administrator could define the mix of network/host.

We do not currently implement this in the standard OS, See RFE 4014885
for further details. Solstice Security Manager does have this feature
(but does not do it via NIS/NIS+, instead uses a private DB).

Technically, it is possible to implement this using PAM in Solaris
2.6 onwards, to do this you would write a PAM module that implements:

  pam_sm_open_session() for writing the network lastlog and
  pam_sm_acct_mgmt() for checking the network lastlog

Setup and Default values

The passwd(1) command can be used to set each of the fields for an already
existing user. AdminSuite usrmgr and admintool(1M) prompt for the fields
when creating a new user.

Default values for Min, Max, Warn can be set by giving values to the
variables MINWEEKS, MAXWEEKS, WARNWEEKS in /etc/default/passwd. Note
that setting the default values does NOT enable password aging for
all accounts on the system. The values in /etc/default/passwd are only
used to update the fields in /etc/shadow or the passwd.org_dir table when
a user changes their password (or a priviledge user changes it for them) and
there are no existing values for those fields.

If /usr/bin/admintool is used to create a user and set their intial password,
the values from /etc/default/passwd are NOT used. The admin should setup
the required values in the fields of the admintool(1M) form at the time of
creating the user.

To enable any of the password aging policies on a system wide basis
either use the passwd(1) command with approriate flags to set the fields
for each user or setup defaults in the /etc/default/passwd file and then
expire the passwords of all users on the system by using:

  # passwd -f <login_name>

for each account.



Relevant Pages

  • Re: expired passwords
    ... To expire a password for a user and then try to log back in for that ... You must change your password now and login again! ... If password aging has been enabled for your account, ... you don't actually know if you typed an incorrect username or an incorrect password. ...
    (Fedora)
  • Re: expired passwords
    ... Now telnet connections and serial port connections behave the ... thing when trying to login on the serial port. ... To expire a password for a user and then try to log back in for that ... If password aging has been enabled for your account, ...
    (Fedora)
  • Re: one time passwords
    ... >> expire within a certain time period. ... They can login as many times as ... >> if the account is expired as I never tried it. ... That script would have to run as root. ...
    (comp.unix.solaris)
  • Re: expired passwords
    ... Here is what I get when I try and telnet in to localhost: ... thing when trying to login on the serial port. ... To expire a password for a user and then try to log back in for that ... If password aging has been enabled for your account, ...
    (Fedora)
  • Re: Solaris NIS+ and Password Aging
    ... >Trying to assist someone with activating password aging. ... They have indicated that the NIS+ password ... Note that Account Expiry is on a per host basis, ... the expire field perform very distinct functions that are in no way related. ...
    (Focus-SUN)