Red Hat Bug 124602 In Action

From Brandonhutchinson.com

Revision as of 21:15, 19 March 2008 by Hutch (Talk | contribs)
Jump to: navigation, search

Bugzilla Bug 124602: OpenSSH does not allow users to change expired passwords when privsep is used

$ cat /etc/redhat-release
Red Hat Enterprise Linux AS release 3 (Taroon Update 4)
$ rpm -q openssh
openssh-3.6.1p2-33.30.3

I attempt to login as a user with an expired password using ssh.

If privilege separation is enabled

If privilege separation is enabled, I receive the following error.

You are required to change your password immediately (password aged)
Your password has expired, the session cannot proceed.

If privilege separation is disabled

If privilege separation is disabled, I receive the following error.

From a remote system:

$ ssh hutchib@host
Password: 
dispatch_protocol_error: type 60 seq 12
Disconnecting: Bad packet length 1158809210.

From the local system:

$ ssh hutchib@localhost
Password: 
Warning: Your password has expired, please change it now.
9ea7 c5ec 6dc5 65ca debc beb7 7a68 0f0a

Disconnecting: Bad packet length 2661795308.

Workaround

Note that even after installing the latest OpenSSH package, privilege separation must be enabled in order to login with an expired account.

$ rpm -qp openssh-3.6.1p2-33.30.14.i386.rpm --changelog
...
* Wed Feb 02 2005 Tomas Mraz <tmraz@redhat.com> 3.6.1p2-33.30.4

- CAN-2004-0175 (#120147) don't allow scp to overwrite files 
  in other directories
- don't log in sigalarm handler - it can deadlock (#145001)

* Tue Feb 01 2005 Tomas Mraz <tmraz@redhat.com>

- allow changing expired passwords when privilege separation is on (#124602)
- don't leak whether root password is right if root isn't allowed (#141642)
# yum install openssh
...
I will do the following:
[update: openssh 3.6.1p2-33.30.14.i386]
I will install/upgrade these to satisfy the dependencies:
[deps: openssh-server 3.6.1p2-33.30.14.i386]
[deps: openssh-clients 3.6.1p2-33.30.14.i386]
[deps: openssh-askpass 3.6.1p2-33.30.14.i386]
Is this ok [y/N]: y

With privilege separation disabled:

$ ssh hutchib@host
Password: 
Warning: Your password has expired, please change it now.
Disconnecting: Bad packet length 2062459566.

With privilege separation enabled:

$ ssh hutchib@host
You must change your password now and login again!
Changing password for user hutchib.
Changing password for hutchib
(current) UNIX password: 
New UNIX password: 
Retype new UNIX password: 
passwd: all authentication tokens updated successfully.
Connection to host closed.
Personal tools