dropbear and PAM_NEW_AUTHTOK_REQ ?

Matt Johnston matt at ucc.asn.au
Fri Apr 22 21:48:38 AWST 2016


Hi Joakim,

Does this work for changing passwords? I'm not entirely clear on what pam_chauthtok() does, but if it tries a PAM conversation with the user it won't work - Dropbear's PAM password login is a bit of a hack to just reply with the given password. (There's a branch https://secure.ucc.asn.au/hg/dropbear/shortlog/696205e3dc99 to handle it properly, but that needs some attention before merging)

I might be missing something though. I'll try to look further next week.

Cheers,
Matt

> On Fri 22/4/2016, at 1:30 pm, Joakim Tjernlund <Joakim.Tjernlund at infinera.com> wrote:
> 
> On Tue, 2016-04-19 at 12:59 +0200, Joakim Tjernlund wrote:
>> Just had a look at adding support for PAM_NEW_AUTHTOK_REQ in dropbear like so:
>> --- a/svr-authpam.c
>> +++ b/svr-authpam.c
>> -       if ((rc = pam_acct_mgmt(pamHandlep, 0)) != PAM_SUCCESS) {
>> +       rc = pam_acct_mgmt(pamHandlep, 0);
>> +       if (rc == PAM_NEW_AUTHTOK_REQD) {
>> +               rc = pam_chauthtok(pamHandlep, PAM_CHANGE_EXPIRED_AUTHTOK);
>> +       }
>> +       if (rc != PAM_SUCCESS) {
>> 
>> This is of course not enough and I wonder if upstream dropbear would be
>> interested in adding support for PAM_NEW_AUTHTOK_REQ?
>> 
>>  Jocke
> 
> Ping ?
> 
> PAM_NEW_AUTHTOK_REQ is needed to support passwd expiration, that is, forcing the
> user to change passwd at first login/or passwd to old.
> 
>  Jocke



More information about the Dropbear mailing list