Re: Public key authentication defeats passwd age warning.

From: Darren Tucker (dtucker_at_dodgy.net.au)
Date: 08/27/04 

Date: Fri, 27 Aug 2004 14:26:48 +0000 (UTC)

In article <cgjfkd$rh7$1@eeyore.INS.cwru.edu>,
The other Thomas Gardner <tGARDNER@ElectEngrngCompSci.CaseWesResUniv.EDU> wrote:
>UsePAM I changed because that seemed to make passwd aging work. I.e.
>when set to its default of ``no'', even if the lUser logging in was
>WAY past the expiration their passwd, it would still let them in as
>if nothing was wrong. When I changed it to ``yes'' the lUser is
>challenged to reset their passwd immediately on login, as is supposed
>to be the case.

In OpenSSH's native password support, password expiry is only checked
during password authentication, and the warning is generated as part of
that check (auth_shadow_pwexpired in auth-shadow.c).

In PAM's world view, password expiry is done as part of the account checks
(ie pam_acct_mgmt) which sshd must check for all auth types (since it
has no idea what critera PAM might use for those checks).

It would be possible to generate the messages for non-password auths too
but I'm not sure it makes sense. If you're not using the password at all,
is it relevant that it's expired? And what do you do if it is? Deny the
login even though the credentials used for the authentication (ie the
public key) are perfectly fine? Or generate a message of the form "your
password expired X days ago"? 

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.