Bug 124602 (IT_41458)
Summary: | OpenSSH does not allow users to change expired passwords when privsep is used | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 3 | Reporter: | Mark Post <mark.post> | ||||
Component: | openssh | Assignee: | Tomas Mraz <tmraz> | ||||
Status: | CLOSED ERRATA | QA Contact: | Brian Brock <bbrock> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | 3.0 | CC: | ckloiber, cranschau, ffillion, glafave, k.georgiou, lasalle, lsof, nalin, shanew, tao, tom.webster | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | i386 | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2005-05-18 13:48:31 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 132991 | ||||||
Attachments: |
|
Description
Mark Post
2004-05-27 20:40:17 UTC
Can I get an update on this problem report? It's been almost three weeks. Thanks. I have the same issue here. I would like to see the same Expected Results that Mark posted. I am also having this issue. Per security Standards we need to have Privledge Separation and Password Expiry working. Can we get a ETA on a fix for this? I'm pretty sure this is already solved in the openssh comunity and we just need the backpatches install in this RPM. Thanks! Created attachment 110500 [details]
Proposed patch
This patch should solve the issue - it uses passwd binary to change the
password as in current openssh-3.9p1.
*** Bug 112820 has been marked as a duplicate of this bug. *** *** Bug 117429 has been marked as a duplicate of this bug. *** So, do you have a test RPM package we can install and try this out? We'll be willing to put it on quickly and provide feedback. Mark You can test them: http://people.redhat.com/tmraz/testing/openssh-*3.6.1p2-33.30.3.test.i386.rpm Of course they are with the disclaimer that they are purely unofficial and not tested thoroughly so they can eat your system and so on... We are seeing the same problem and have the same security requirment issues (priv seperation on and users passwords pre-expired). I'd be willing to test the proposed patch, but I'm wondering if the "*" preceeding the version number is going to mess with up2date? I'd like to be able to drop in the test and then have up2date roll the blessed patch over it rather than having to do rpm surgery. PS Currently using: RHEL R3U4 with openssh-3.6.1p2-33.30.3 Tom The * is a wildcard character meaning client- server- and other packages. The test kit has been working fine for me for a couple of weeks. Behavior is to force user to change password, then boot their connection. Next login is OK with updated password. it seems the test rpms have moved. can i get a full URL to test them out? To answer my question- http://people.redhat.com/tmraz/testing/i386/ . Anyone know when these rpms will come out of testing? T So does somebody has news about when the rpm will out of testing? An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2005-106.html |