Bug 124602 - (IT_41458) OpenSSH does not allow users to change expired passwords when privsep is used
OpenSSH does not allow users to change expired passwords when privsep is used
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: openssh (Show other bugs)
3.0
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Brian Brock
: Security
: 112820 117429 (view as bug list)
Depends On:
Blocks: 132991
  Show dependency treegraph
 
Reported: 2004-05-27 16:40 EDT by Mark Post
Modified: 2007-11-30 17:07 EST (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-05-18 09:48:31 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Proposed patch (4.45 KB, patch)
2005-02-01 11:08 EST, Tomas Mraz
no flags Details | Diff

  None (edit)
Description Mark Post 2004-05-27 16:40:17 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4)
Gecko/20030624 Netscape/7.1 (ax)

Description of problem:
This is a followup to bug # 83585
(https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=83585).

I have clients that are experiencing this problem, because our
security standards dictate that privilege separation be used.  The
errata produced for 83585 requires turning this off, so that is not
workable for us.

The OpenSSH developers have fixed this problem in version 3.8.  I need
to have this functionality inserted into a supported Red Hat RPM.


Version-Release number of selected component (if applicable):
openssh-3.6.1p2-33.30.1

How reproducible:
Always

Steps to Reproduce:
1. Have an expired user account
2. Have OpenSSH configured to use privsep
3. Try to login to the system
    

Actual Results:  The connection is dropped.

Expected Results:  The user be prompted for their old and new passwords.

Additional info:
Comment 1 Mark Post 2004-06-14 12:41:17 EDT
Can I get an update on this problem report?  It's been almost three
weeks.  Thanks.
Comment 7 Cory Ranschau 2005-01-05 11:17:44 EST
I have the same issue here.  I would like to see the same Expected
Results that Mark posted.
Comment 8 Greg Lafave 2005-01-14 20:23:41 EST
I am also having this issue.   Per security Standards we need to have 
Privledge Separation and Password Expiry working.  Can we get a ETA 
on a fix for this?  I'm pretty sure this is already solved in the 
openssh comunity and we just need the backpatches install in this 
RPM.  Thanks!
Comment 9 Tomas Mraz 2005-02-01 11:08:22 EST
Created attachment 110500 [details]
Proposed patch

This patch should solve the issue - it uses passwd binary to change the
password as in current openssh-3.9p1.
Comment 11 Tomas Mraz 2005-02-07 09:35:17 EST
*** Bug 112820 has been marked as a duplicate of this bug. ***
Comment 12 Tomas Mraz 2005-02-07 10:03:04 EST
*** Bug 117429 has been marked as a duplicate of this bug. ***
Comment 13 Mark Post 2005-02-07 10:44:56 EST
So, do you have a test RPM package we can install and try this out?  We'll be
willing to put it on quickly and provide feedback.

Mark
Comment 14 Tomas Mraz 2005-02-07 11:29:47 EST
You can test them:
http://people.redhat.com/tmraz/testing/openssh-*3.6.1p2-33.30.3.test.i386.rpm 

Of course they are with the disclaimer that they are purely unofficial and not
tested thoroughly so they can eat your system and so on...
Comment 16 Tom Webster 2005-02-18 16:10:04 EST
We are seeing the same problem and have the same security requirment
issues (priv seperation on and users passwords pre-expired).

I'd be willing to test the proposed patch, but I'm wondering if the
"*" preceeding the version number is going to mess with up2date?  I'd
like to be able to drop in the test and then have up2date roll the
blessed patch over it rather than having to do rpm surgery.

PS Currently using: RHEL R3U4 with openssh-3.6.1p2-33.30.3

Tom
Comment 17 Tomas Mraz 2005-02-18 17:46:38 EST
The * is a wildcard character meaning client- server- and other packages.
Comment 18 Tom Webster 2005-03-22 13:28:56 EST
The test kit has been working fine for me for a couple of weeks.  Behavior is 
to force user to change password, then boot their connection.  Next login is 
OK with updated password.
Comment 20 Jurvis LaSalle 2005-04-06 17:52:55 EDT
it seems the test rpms have moved.  can i get a full URL to test them out?
Comment 21 Jurvis LaSalle 2005-04-06 20:39:55 EDT
To answer my question-  http://people.redhat.com/tmraz/testing/i386/ .
Anyone know when these rpms will come out of testing?  T
Comment 23 Francis 2005-04-25 14:42:01 EDT
So does somebody has news about when the rpm will out of testing?
Comment 24 Tim Powers 2005-05-18 09:48:32 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-106.html

Note You need to log in before you can comment on or make changes to this bug.