[scponly] password compatiblity mode and chroots
Kaleb Pederson
kpederson at ewu.edu
Fri Mar 18 19:33:28 EST 2005
We need to require that the users change their password every X number of
days. However, they are working within the chroot and passwd is run from
within the chroot, which isn't the needed behavior.
I'm currently seeing the following with debug mode on:
sshd[581802]: Accepted password for username from XXX port 37832 ssh2
[643116]: chrooted binary in place, will chroot()
[643116]: 3 arguments in total.
[643116]: arg 0 is scponlyc
[643116]: arg 1 is -c
[643116]: arg 2 is passwd
[643116]: opened log at LOG_AUTH, opts 0x00000009
[643116]: retrieved home directory of "/u03/upload//home/username" for user
"username"
[643116]: chrooting to dir: "/u03/upload"
[643116]: setting uid to 214
[643116]: processing request: "passwd"
[643116]: running: /usr/bin/passwd (username: username(214), IP/port: XXX
37832 22)
[643116]: failed: /usr/bin/passwd with error No such file or directory(2)
(username: username...)
In this case, it failed because I don't have passwd within the chroot, but I
don't want the passwd changed within the chroot anyway.
So, I have couple of questions, assuming I haven't somehow missed something
1) Is there a particular reason or two why scponly doesn't issue the passwd
command before chrooting (actually, it would probably just exec(passwd) and
then exit(0).) [ok... I'm leaving out some details, but I'm sure you get the
idea].
2) Out of curiosity, why does passwd accept a parameter, the root is going to
be changing the users passwd? On AIX, (this is probably configurable), if
root changes the passwd, the user is then forced to change their password on
their next login), so that wouldn't work in this scenario.... I suppose it
doesn't hurt anything, and perhaps I'm being a bit paranoid but the "extra"
parameter, but I don't understand why its there.
If this seems like a reasonable option for inclusion, I'll submit a patch on
Monday or Tuesday. If the functionality isn't there currently, I'll need to
add it to meet our needs...
Thanks for the help.
--Kaleb
More information about the scponly
mailing list