Re: Linux-PAM oddities

[Michael Tokarev <mjt tls msk ru>]

Steven S wrote:
> 
> Running a RedHat 6.2 box with pam-0.72-20.6.x installed.
> This machine was recently reconfigured to expire passwords after 90 days,
> giving 7 days notice of expiration + 7 days after to change their
> password. A user noticed some odd behaviour. With the password expired but
> within the 7 day window to change it....
> 
> (me@mybox) $ ssh me@anotherbox
> me@anotherbox's password:
> Your password has expired; please change it!
> Warning: Your password has expired, please change it now

This seems to be a bug somewhere, or maybe bug in docs: what
component should print this message ?  It seems some module
AND sshd prints this, shurely one of them shouldn't do this.

> Changing password for me
> (current) UNIX password: test.1234
> New UNIX password: test.1234
> Password unchanged
> Connection to anotherbox closed by remote host.
> Connection to anotherbox closed.
> 
> (me@mybox) $ ssh me@anotherbox
> me@anotherbox's password:
> Your password has expired; please change it!
> Warning: Your password has expired, please change it now
> Changing password for me
> (current) UNIX password: test.1234
> New UNIX password: foobar99
> Retype new UNIX password: foobar99
> Last login: Wed Jan 16 16:09:46 2002 from mybox
> [me@anotherbox /home/me ]$
> 
> notice the nifty plain text.
> 
> A tcpdump shows the plain text is being send across encrypted but as you
> can see it echos back on the display.

This is a good question for openssh-unix-dev@mindrot.org.

>                 Also when changing the password from
> this prompt it looks like Linux-PAM uses crypt instead of md5. Any way of
> changing that?

Edit your sshd PAM configuration in /etc/pam.d.  Compare this config
with e.g. login entry -- you should be able to figure the difference.
Perhaps adding `md5' on pam_unix password stack line will help here.

Regards,
 Michael.