d***@infracentric.com
2018-09-28 13:23:46 UTC
Hi
I'm trying to integration a Java application using SSHJ
<https://github.com/hierynomus/sshj> client-side - into OpenSSH 7.4. This
is fine, except where I get to a password expiry situation.
Looking at RFC4252 <https://www.ietf.org/rfc/rfc4252.txt> (which is
supported by SSHJ) I don't see any SSH_MSG_USERAUTH_PASSWD_CHANGEREQ [60]
messages getting passed from OpenSSH. SSHJ expects these to allow prompting
for new password.
The only references to SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ in the OpenSSH
Portable code are in "sshconnect2.c" - which I believe is client-side.
So is RFC4252 supported for sshd (server-side) ?
I have compiled OpenSSH Portable
<https://github.com/openssh/openssh-portable> (v 7.8) on Centos 7 (using
PAM) and got into debug mode
In sshd_config I have
UsePAM yes
PasswordAuthentication yes
ChallengeResponseAuthentication no
AuthenticationMethods password
I can see two phases where authentication is applied - the first.
debug3: mm_request_receive entering
debug1: do_pam_account: called
debug2: do_pam_account: auth information in SSH_AUTH_INFO_0
debug3: PAM: sshpam_passwd_conv called with 1 messages
debug3: PAM: do_pam_account pam_acct_mgmt = 12 (Authentication token is no
longer valid; new one required)
debug3: sshpam_password_change_required 1
debug3: mm_request_send entering: type 103
Accepted password for dhubbard2 from 192.168.13.1 port 50263 ssh2
debug1: monitor_child_preauth: dhubbard2 has been authenticated by
privileged process
debug3: mm_get_keystate: Waiting for new keys
debug3: mm_request_receive_expect entering: type 26
debug3: mm_request_receive entering
debug3: mm_get_keystate: GOT new keys
debug3: mm_auth_password: user authenticated [preauth]
However all I can see from the "password_change_required" is code in
auth-pam.c to set the auth token to PAM_CHANGE_EXPIRED_AUTHTOK, but no
RFC4252 style communication.
Then later.
debug2: ## DH: userauth_finish [preauth]
debug3: auth2_update_methods_lists: updating methods list after "password"
[preauth]
debug2: authentication methods list 0 complete [preauth]
debug2: ## DH: about to do_pam_account [preauth]
debug3: mm_do_pam_account entering [preauth]
debug3: mm_request_send entering: type 102 [preauth]
debug3: mm_request_receive_expect entering: type 103 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_do_pam_account returning 1 [preauth]
debug2: ## DH: done do_pam_account - no message [preauth]
debug3: send packet: type 52 [preauth]
i.e. no recognition of the expiry and no comms.
Am I missing something - like a config setting?
Thanks in advance
David
I'm trying to integration a Java application using SSHJ
<https://github.com/hierynomus/sshj> client-side - into OpenSSH 7.4. This
is fine, except where I get to a password expiry situation.
Looking at RFC4252 <https://www.ietf.org/rfc/rfc4252.txt> (which is
supported by SSHJ) I don't see any SSH_MSG_USERAUTH_PASSWD_CHANGEREQ [60]
messages getting passed from OpenSSH. SSHJ expects these to allow prompting
for new password.
The only references to SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ in the OpenSSH
Portable code are in "sshconnect2.c" - which I believe is client-side.
So is RFC4252 supported for sshd (server-side) ?
I have compiled OpenSSH Portable
<https://github.com/openssh/openssh-portable> (v 7.8) on Centos 7 (using
PAM) and got into debug mode
In sshd_config I have
UsePAM yes
PasswordAuthentication yes
ChallengeResponseAuthentication no
AuthenticationMethods password
I can see two phases where authentication is applied - the first.
debug3: mm_request_receive entering
debug1: do_pam_account: called
debug2: do_pam_account: auth information in SSH_AUTH_INFO_0
debug3: PAM: sshpam_passwd_conv called with 1 messages
debug3: PAM: do_pam_account pam_acct_mgmt = 12 (Authentication token is no
longer valid; new one required)
debug3: sshpam_password_change_required 1
debug3: mm_request_send entering: type 103
Accepted password for dhubbard2 from 192.168.13.1 port 50263 ssh2
debug1: monitor_child_preauth: dhubbard2 has been authenticated by
privileged process
debug3: mm_get_keystate: Waiting for new keys
debug3: mm_request_receive_expect entering: type 26
debug3: mm_request_receive entering
debug3: mm_get_keystate: GOT new keys
debug3: mm_auth_password: user authenticated [preauth]
However all I can see from the "password_change_required" is code in
auth-pam.c to set the auth token to PAM_CHANGE_EXPIRED_AUTHTOK, but no
RFC4252 style communication.
Then later.
debug2: ## DH: userauth_finish [preauth]
debug3: auth2_update_methods_lists: updating methods list after "password"
[preauth]
debug2: authentication methods list 0 complete [preauth]
debug2: ## DH: about to do_pam_account [preauth]
debug3: mm_do_pam_account entering [preauth]
debug3: mm_request_send entering: type 102 [preauth]
debug3: mm_request_receive_expect entering: type 103 [preauth]
debug3: mm_request_receive entering [preauth]
debug3: mm_do_pam_account returning 1 [preauth]
debug2: ## DH: done do_pam_account - no message [preauth]
debug3: send packet: type 52 [preauth]
i.e. no recognition of the expiry and no comms.
Am I missing something - like a config setting?
Thanks in advance
David