[scponly] password compatiblity mode and chroots
Kaleb Pederson
kpederson at mail.ewu.edu
Mon Mar 21 15:20:01 EST 2005
Hello again,
Before I patch scponly to support changing the password outside of a chroot,
when a chroot environment is used, I just wanted to see if had any last
minute suggestions or feedback (so hopefully I don't need to patch it).
Thanks.
--Kaleb
On Friday 18 March 2005 4:33 pm, Kaleb Pederson wrote:
> We need to require that the users change their password every X number of
> days. However, they are working within the chroot and passwd is run from
> within the chroot, which isn't the needed behavior.
>
> I'm currently seeing the following with debug mode on:
>
> sshd[581802]: Accepted password for username from XXX port 37832 ssh2
> [643116]: chrooted binary in place, will chroot()
> [643116]: 3 arguments in total.
> [643116]: arg 0 is scponlyc
> [643116]: arg 1 is -c
> [643116]: arg 2 is passwd
> [643116]: opened log at LOG_AUTH, opts 0x00000009
> [643116]: retrieved home directory of "/u03/upload//home/username" for user
> "username"
> [643116]: chrooting to dir: "/u03/upload"
> [643116]: setting uid to 214
> [643116]: processing request: "passwd"
> [643116]: running: /usr/bin/passwd (username: username(214), IP/port: XXX
> 37832 22)
> [643116]: failed: /usr/bin/passwd with error No such file or directory(2)
> (username: username...)
>
> In this case, it failed because I don't have passwd within the chroot, but
> I don't want the passwd changed within the chroot anyway.
>
> So, I have couple of questions, assuming I haven't somehow missed something
>
> 1) Is there a particular reason or two why scponly doesn't issue the passwd
> command before chrooting (actually, it would probably just exec(passwd) and
> then exit(0).) [ok... I'm leaving out some details, but I'm sure you get
> the idea].
>
> 2) Out of curiosity, why does passwd accept a parameter, the root is going
> to be changing the users passwd? On AIX, (this is probably configurable),
> if root changes the passwd, the user is then forced to change their
> password on their next login), so that wouldn't work in this scenario....
> I suppose it doesn't hurt anything, and perhaps I'm being a bit paranoid
> but the "extra" parameter, but I don't understand why its there.
>
> If this seems like a reasonable option for inclusion, I'll submit a patch
> on Monday or Tuesday. If the functionality isn't there currently, I'll
> need to add it to meet our needs...
>
> Thanks for the help.
>
> --Kaleb
>
> _______________________________________________
> scponly mailing list
> scponly at lists.ccs.neu.edu
> https://lists.ccs.neu.edu/bin/listinfo/scponly
More information about the scponly
mailing list