Subject: bin/36624: sshd should not check pw_{expire,change} if UsePam is enabled
To: None <gnats-admin@netbsd.org, netbsd-bugs@netbsd.org>
From: None <ef@math.uni-bonn.de>
List: netbsd-bugs
Date: 07/10/2007 15:15:01
>Number: 36624
>Category: bin
>Synopsis: sshd should not check pw_{expire,change} if UsePam is enabled
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: bin-bug-people
>State: open
>Class: change-request
>Submitter-Id: net
>Arrival-Date: Tue Jul 10 15:15:00 +0000 2007
>Originator: Edgar Fuß
>Release: NetBSD 4.0_BETA2
>Organization:
Mathematisches Institut der Universität Bonn, Computerabteilung
>Description:
Even if UsePam is enabled in ssh/sshd_config, the code checks for
account/password expiration via pw_expire/pw_change. These fields
may get filled even for LDAP accounts by nss_ldap (and indeed are
mangled due to an error in nss_ldap).
This is confusing since one would expect PAM to check for account
expiration and password ageing if PAM is enabled.
>How-To-Repeat:
Enable PAM in etc/ssh/sshd_config.
pkg_add nss_ldap.
pkg_add pam-ldap.
Enable PAM module pam.d/sshd.
>Fix:
Experts should check security implications of the following:
--- auth.c.orig 2006-09-28 23:22:14.000000000 +0200
+++ auth.c 2007-07-10 14:27:30.000000000 +0200
@@ -167,6 +167,9 @@
login_close(lc);
#endif
+#ifdef USE_PAM
+ if (!options.use_pam) {
+#endif
/*
* password/account expiration.
*/
@@ -197,6 +200,9 @@
}
}
}
+#ifdef USE_PAM
+ }
+#endif
/*
* Get the shell from the password data. An empty shell field is