dropbear and PAM_NEW_AUTHTOK_REQ ?
Joakim Tjernlund
Joakim.Tjernlund at infinera.com
Mon Apr 25 16:26:05 AWST 2016
On Fri, 2016-04-22 at 21:48 +0800, Matt Johnston wrote:
> Hi Joakim,
>
> Does this work for changing passwords? I'm not entirely clear on what pam_chauthtok() does, but if it tries
> a PAM conversation with the user it won't work - Dropbear's PAM password login is a bit of a hack to just
> reply with the given password. (There's a branch https://secure.ucc.asn.au/hg/dropbear/shortlog/696205e3dc99
> to handle it properly, but that needs some attention before merging)
>
> I might be missing something though. I'll try to look further next week.
Matt, did some more hacking during the weekend. I will send two patches to the list for
you to look at. I hope they still apply on latest dropbear but if not it will be trivial
to fix I think.
Let me know what you think, unless there is a problem we will use these two patches for now.
>
> Cheers,
> Matt
>
> >
> > On Fri 22/4/2016, at 1:30 pm, Joakim Tjernlund <Joakim.Tjernlund at infinera.com> wrote:
> >
> > On Tue, 2016-04-19 at 12:59 +0200, Joakim Tjernlund wrote:
> > >
> > > Just had a look at adding support for PAM_NEW_AUTHTOK_REQ in dropbear like so:
> > > --- a/svr-authpam.c
> > > +++ b/svr-authpam.c
> > > - if ((rc = pam_acct_mgmt(pamHandlep, 0)) != PAM_SUCCESS) {
> > > + rc = pam_acct_mgmt(pamHandlep, 0);
> > > + if (rc == PAM_NEW_AUTHTOK_REQD) {
> > > + rc = pam_chauthtok(pamHandlep, PAM_CHANGE_EXPIRED_AUTHTOK);
> > > + }
> > > + if (rc != PAM_SUCCESS) {
> > >
> > > This is of course not enough and I wonder if upstream dropbear would be
> > > interested in adding support for PAM_NEW_AUTHTOK_REQ?
> > >
> > > Jocke
> > Ping ?
> >
> > PAM_NEW_AUTHTOK_REQ is needed to support passwd expiration, that is, forcing the
> > user to change passwd at first login/or passwd to old.
> >
> > Jocke
More information about the Dropbear
mailing list