SSH and password expiration
Steve Bassler
properly handle password expiration during logon. The proposed solution
was to write a script which called pwdadm to check for the ADMCHG flag
on the user's account and then call passwd if the flag is set.
My understanding is that the ADMCHG flag is set only when a root user
changes the user's password, i.e. the flag is set to force a password
change the next time the user logs on. It has nothing to do with normal
password expiration.
Is there a way to tell programatically whether or not a password has
exceeded its max age? I know pwdadm also returns the lastupdate
attribute (in seconds). Is this the date of the last password change?
If so, how can I - in a script (ksh, perl, awk, etc.) - compare that to
the current date, and how can I get the user's max age attribute?
Thanks,
Steve
Darren Tucker
Steve Bassler <bassmstr.delet...@adelphia.net> wrote:
>A few months ago there was a discussion here about how to make SSH
>properly handle password expiration during logon. The proposed solution
>was to write a script which called pwdadm to check for the ADMCHG flag
>on the user's account and then call passwd if the flag is set.
If you want password expiration there's a patch for openssh-3.5p1 at:
http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=103451003731469
If it works for you, please let me know.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
Mark Lundy
Under AIX, you can set Primary Authentication Method to something like
:
SYSTEM,SYSTEM;<userid>
This has the effect of asking the user for their username and
password, but also asks them for the password of the user <userid>.
This can be used as a supplementary security feature.
Does this patch support this kind of secondary authentication?
Thanks.
Cheers.
-M
dtu...@dodgy.net.au (Darren Tucker) wrote in message news:<aop2fn$acq$1...@gate.dodgy.net.au>...
Darren Tucker
Mark Lundy <mark...@comcast.net> wrote:
>Under AIX, you can set Primary Authentication Method to something like
>
>SYSTEM,SYSTEM;<userid>
>
>This has the effect of asking the user for their username and
>password, but also asks them for the password of the user <userid>.
>This can be used as a supplementary security feature.
>
>Does this patch support this kind of secondary authentication?
I don't really know, I've never tried that before. Does an unmodified
OpenSSH handle it?
I suspect the patch will cause the primary account's password will be
changed if expired but the secondary ignored. I'll have to try it.
Mark Lundy
> In article <225577dc.02102...@posting.google.com>,
> Mark Lundy <mark...@comcast.net> wrote:
> >Under AIX, you can set Primary Authentication Method to something like
> >
> >SYSTEM,SYSTEM;<userid>
> >
> >This has the effect of asking the user for their username and
> >password, but also asks them for the password of the user <userid>.
> >This can be used as a supplementary security feature.
> >
> >Does this patch support this kind of secondary authentication?
>
> I don't really know, I've never tried that before. Does an unmodified
> OpenSSH handle it?
>
> I suspect the patch will cause the primary account's password will be
> changed if expired but the secondary ignored. I'll have to try it.
As a matter of fact, the secondary password doesn't work with an
unmodified ssh. I found on ssh.com :
http://www.ssh.com/support/faq/secureshell/qa_1_779.html
From what I understand, IBM is getting away from using auth1 and auth2
in AIX authentication. However, I believe that they support using
these values, probably for legacy purposes.
I looked over the patch, I don't think that this patch does in fact
use auth1 and auth2.
Thanks for your help. :)
Cheers.
-M
Maarten Kreuger
Not the prettiest, but this workaround will do the trick. Instead of
fixing ssh, add some shell scripts to the login sequence of AIX. My code
provides the functionality for two problems with current ssh distributions:
- rlogin=false prtevents executiuon of remote ssh commands
- password expiration and forced change is not detected
Instead of setting rlogin=false, set rlogin to true, and then check in
the /etc/profile whether root was logging though ssh, and preventing
further logins. If telnet and rlogin are still diabled, that can be
checked too. I check for expired passwords and forced changes in a
script too.
The code:
restrict_ssh, sourced from /etc/profile, checks for root login and
password expiration
check_expired_passwd, run as root by sudo, to check for forced change
and expiration
Perl is needed for telling the time in seconds since the epoch. Sudo is
neede because normal users may not know when their password expires... A
single line has to be added to the /etc/sudoers file:
ALL ALL = NOPASSWD: /etc/check_expired_passwd
In the /etc/profile (just after the trap instruction:
[ -x /etc/restrict_ssh ] && . /etc/restrict_ssh
The code for the files is:
/etc/restrict_rsh (chmod 755):
#
# restrict_ssh: customizes ssh logins to not allow root login,
# and respect password expiration and forced change.
#
#
# No remote logins (ssh, telnet, or rlogin) for root
#
if [ `whoami` = root ] && ! [ -e /etc/rootmaylogin ]
then
ps -o "%p %c" -p `ps -o "%P" -p $$ | tail -1` | \
grep -e ssh -e telnet -e rlogin | read pid rest
if [ "$pid" != "" ]
then
echo "Root is not allowed to login remotely on this system"
logout || kill $pid
exit
fi
fi
#
# Check password expiration
#
if [ -e /etc/check_expired_passwd ] && [ -s /etc/sudoers ]
then
sudo=`which sudo 2>/dev/null` || sudo=/usr/local/bin/sudo
[ `whoami` = root ] && /etc/check_expired_passwd || $sudo \
/etc/check_expired_passwd ]
if [ $? -eq 1 ]
then
while ! passwd
do
echo "You have to change your password!"
done
fi
fi
/etc/check_expired_passwd (chmod 700):
#!/bin/ksh
#
# check_expired_passwd Maarten Kreuger
#
# version 1.0 initial 18-10-2002
#
# This script will check for the user that calls it whether or
# not his password is expired, or needs to be changed.
# If a password needs to be changed within a week, a
# warning is given.
#
# This script uses perl to tell the time in seconds since the epoch.
# If perl is not available in /usr/bin, the expiration check will not
# be performed.
#
# return codes: 0 password does not have to be changed
# 1 password requires changing
# 2 Error in the program
#
user=`/usr/bin/who am i | /usr/bin/awk '{ print $1 }'`
root=`/usr/bin/whoami`
if [ "$root" != root ]
then
print "Error, not running as root" >&2
exit 2
fi
if [ "$user" = "" ]
then
print "Error, could not determine username!" >&2
exit 2
fi
#
# Check for expired useraccount
# We need perl for telling us the time in seconds
#
if [ -x /usr/bin/perl ]
then
# get current time
seconds_since_epoch=`/usr/bin/perl -e 'print time;'`
# get maxage atribute
maxage=`/usr/sbin/lsuser -a maxage $user | /usr/bin/awk -F '=' '{
print $2 }'`
if (( maxage > 0 ))
then
(( maxage_seconds = maxage * 7 * 24 * 3600 ))
# Get the time the password was last updated
lastupdate=`/usr/bin/pwdadm -q $user | /usr/bin/grep lastupdate |
awk -F '=' '{ print $2 }'
# Now see what happens
if (( seconds_since_epoch > lastupdate + maxage_seconds ))
then
print "Your password has expired. You are required to change
it now."
exit 1
else
(( daystoexpire = ( lastupdate + maxage_seconds -
seconds_since_epoch ) / ( 24 * 3600 )
if (( daystoexpire < 8 ))
then
print "Warning, your password will expire in $daystoexpire
day(s)"
fi
fi
fi
fi
#
# Check for forced password change
#
if /usr/bin/pwdadm -q $user | /usr/bin/grep -q ADMCHG
then
print "You are required to change your password now."
exit 1
fi