sshd and ftpd do not look at the expire field for a user. This is a security risk if the site relies on the expire field to prevent access How-To-Repeat: backup2# pw useradd deadguy backup2# mkdir /home/deadguy chown deadguy /home/deadguy backup2# passwd deadguy Changing local password for deadguy. New password: Please enter a password at least 6 characters in length. New password: Retype new password: passwd: updating the database... passwd: done backup2# ssh deadguy@localhost deadguy@localhost's password: Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 4.3-STABLE (backup) #0: Wed May 23 17:17:10 EDT 2001 $ id uid=20460(deadguy) gid=20460(deadguy) groups=20460(deadguy) $ exit backup2# chfn deadguy backup2# tail -1 /etc/master.passwd deadguy:$1$MDq4lIvx$W6jTaMLK3/vfBaZyFMQYb/:20460:20460::0:991368000:User &:/home/deadguy:/bin/sh backup2# backup2# tail -1 /etc/master.passwd deadguy:$1$MDq4lIvx$W6jTaMLK3/vfBaZyFMQYb/:20460:20460::0:991368000:User &:/home/deadguy:/bin/sh backup2# !ssh ssh deadguy@localhost deadguy@localhost's password: Last login: Wed Jun 20 22:44:19 2001 from localhost Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 4.3-STABLE (backup) #0: Wed May 23 17:17:10 EDT 2001 Welcome to backup2.sentex.ca $ id uid=20460(deadguy) gid=20460(deadguy) groups=20460(deadguy) $ exit Connection to localhost closed. backup2# ftp localhost ftp: connect to address ::1: Permission denied Trying 127.0.0.1... Connected to localhost. 220 backup2.sentex.ca FTP server (Version 6.00LS) ready. Name (localhost:mdtancsa): deadguy 331 Password required for deadguy. Password: 230 User deadguy logged in. Remote system type is UNIX. Using binary mode to transfer files. ftp> bye 221 Goodbye. backup2#
Below is a patch for ftpd.c to have pam check to see if a user's password has expired. I'm working on a patch for openssh tonight, and should have one shortly. This works on 4.3-stable. Mike Wiacek *** ftpd.c Wed Mar 21 09:40:36 2001 --- ftpd.new Fri Jun 22 19:33:01 2001 *************** *** 1151,1156 **** --- 1151,1167 ---- if ((e = pam_get_item(pamh, PAM_USER, &item)) == PAM_SUCCESS) { tmpl_user = (const char *) item; + + /* Ok, the user is valid, BUT we have to check + * if their account has expired. If it has, deny + * access + */ + + if(pam_acct_mgmt(pamh, NULL) != PAM_SUCCESS){ + rval = -1; + break; + } + if (strcmp((*ppw)->pw_name, tmpl_user) != 0) *ppw = getpwnam(tmpl_user); -------------------------------------------------------- UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things. -- Doug Gwyn Mike Wiacek Systems Administrator Magpage Internet Services 800-250-2990 Ext 226
You might want to check out bin/20952, it has a slightly different patch, but same problem. Actually, one of these should be closed. On 21-Jun-2001 Mike Tancsa wrote: | |>Number: 28311 |>Category: bin |>Synopsis: ftpd and sshd do not honor expired pw entries Mike -- Mike Heffner <mheffner@[acm.]vt.edu> Fredericksburg, VA <mikeh@FreeBSD.org>
ftpd does check for expired passwords, when not using PAM, however by default, ftpd does use pam, and this check is not performed. The patch from bin/20952 does the expiration check but it doesn't use pam to perform the check. The one from here, uses the abstration that pam provides to check for expiration, and when it is compiled without pam, the pre-existing code will perform the check... Its really a matter of preference though :-) Mike
Responsible Changed From-To: freebsd-bugs->markm Mark has been looking after alot of the pam patches - maybe he can commit these fixes for ftpd and sshd.
The commit, From: Brian Feldman <green@FreeBSD.ORG> Date: Thu, 27 Sep 2001 18:33:53 -0700 (PDT) To: cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG Subject: cvs commit: src/crypto/openssh atomicio.h auth-chall.c auth2-chall.c canohost.h clientloop.h groupaccess.c groupaccess.h kexdh.c kexgex.c log.h mac.c mac.h misc.c misc.h pathnames.h radix.h readpass.h scp-common.c scp-common.h serverloop.h ... X-FreeBSD-CVS-Branch: RELENG_4 has fixed the ssh problem. Can someone commit the simple ftpd patch ? ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike
Responsible Changed From-To: markm->des Over to the PAM guy.
State Changed From-To: open->closed fixed, thanks.