dropbear and PAM_NEW_AUTHTOK_REQ ?

[Joakim Tjernlund]

On Fri, 2016-04-22 at 21:48 +0800, Matt Johnston wrote:
> Hi Joakim,
> 
> Does this work for changing passwords? I'm not entirely clear on what pam_chauthtok() does, but if it tries
> a PAM conversation with the user it won't work - Dropbear's PAM password login is a bit of a hack to just
> reply with the given password. (There's a branch https://secure.ucc.asn.au/hg/dropbear/shortlog/696205e3dc99
>  to handle it properly, but that needs some attention before merging)
> 
> I might be missing something though. I'll try to look further next week.

Matt, did some more hacking during the weekend. I will send two patches to the list for
you to look at. I hope they still apply on latest dropbear but if not it will be trivial
to fix I think.
Let me know what you think, unless there is a problem we will use these two patches for now.

> 
> Cheers,
> Matt
> 
> > 
> > On Fri 22/4/2016, at 1:30 pm, Joakim Tjernlund <Joakim.Tjernlund at infinera.com> wrote:
> > 
> > On Tue, 2016-04-19 at 12:59 +0200, Joakim Tjernlund wrote:
> > > 
> > > Just had a look at adding support for PAM_NEW_AUTHTOK_REQ in dropbear like so:
> > > --- a/svr-authpam.c
> > > +++ b/svr-authpam.c
> > > -       if ((rc = pam_acct_mgmt(pamHandlep, 0)) != PAM_SUCCESS) {
> > > +       rc = pam_acct_mgmt(pamHandlep, 0);
> > > +       if (rc == PAM_NEW_AUTHTOK_REQD) {
> > > +               rc = pam_chauthtok(pamHandlep, PAM_CHANGE_EXPIRED_AUTHTOK);
> > > +       }
> > > +       if (rc != PAM_SUCCESS) {
> > > 
> > > This is of course not enough and I wonder if upstream dropbear would be
> > > interested in adding support for PAM_NEW_AUTHTOK_REQ?
> > > 
> > >  Jocke
> > Ping ?
> > 
> > PAM_NEW_AUTHTOK_REQ is needed to support passwd expiration, that is, forcing the
> > user to change passwd at first login/or passwd to old.
> > 
> >  Jocke