From nobody@FreeBSD.org  Wed Jun 20 19:48:16 2001
Return-Path: <nobody@FreeBSD.org>
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id BD61837B406
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 20 Jun 2001 19:48:15 -0700 (PDT)
	(envelope-from nobody@FreeBSD.org)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.11.3/8.11.3) id f5L2mFq08512;
	Wed, 20 Jun 2001 19:48:15 -0700 (PDT)
	(envelope-from nobody)
Message-Id: <200106210248.f5L2mFq08512@freefall.freebsd.org>
Date: Wed, 20 Jun 2001 19:48:15 -0700 (PDT)
From: Mike Tancsa <mike@sentex.net>
To: freebsd-gnats-submit@FreeBSD.org
Subject: ftpd and sshd do not honor expired pw entries
X-Send-Pr-Version: www-1.0

>Number:         28311
>Category:       bin
>Synopsis:       ftpd and sshd do not honor expired pw entries
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    des
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jun 20 19:50:00 PDT 2001
>Closed-Date:    Mon Jan 26 13:18:50 PST 2004
>Last-Modified:  Mon Jan 26 13:18:50 PST 2004
>Originator:     Mike Tancsa
>Release:        4
>Organization:
Sentex Communications
>Environment:
4.3-STABLE FreeBSD 4.3-STABLE #0: Wed May 23 17:17:10 EDT 2001 
>Description:
sshd and ftpd do not look at the expire field for a user. This is a security risk if the site relies on the expire field to prevent access
>How-To-Repeat:
backup2# pw useradd deadguy
backup2# mkdir /home/deadguy
chown deadguy /home/deadguy
backup2# passwd deadguy
Changing local password for deadguy.
New password:
Please enter a password at least 6 characters in length.
New password:
Retype new password:
passwd: updating the database...
passwd: done
backup2# ssh deadguy@localhost
deadguy@localhost's password: 
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
        The Regents of the University of California.  All rights reserved.
FreeBSD 4.3-STABLE (backup) #0: Wed May 23 17:17:10 EDT 2001

$ id
uid=20460(deadguy) gid=20460(deadguy) groups=20460(deadguy)
$ exit
backup2# chfn deadguy
backup2# tail -1 /etc/master.passwd 
deadguy:$1$MDq4lIvx$W6jTaMLK3/vfBaZyFMQYb/:20460:20460::0:991368000:User &:/home/deadguy:/bin/sh
backup2#   
backup2# tail -1 /etc/master.passwd 
deadguy:$1$MDq4lIvx$W6jTaMLK3/vfBaZyFMQYb/:20460:20460::0:991368000:User &:/home/deadguy:/bin/sh
backup2# !ssh
ssh deadguy@localhost
deadguy@localhost's password: 
Last login: Wed Jun 20 22:44:19 2001 from localhost
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
        The Regents of the University of California.  All rights reserved.
FreeBSD 4.3-STABLE (backup) #0: Wed May 23 17:17:10 EDT 2001

Welcome to backup2.sentex.ca


$ id
uid=20460(deadguy) gid=20460(deadguy) groups=20460(deadguy)
$ exit
Connection to localhost closed.
backup2# ftp localhost
ftp: connect to address ::1: Permission denied
Trying 127.0.0.1...
Connected to localhost.
220 backup2.sentex.ca FTP server (Version 6.00LS) ready.
Name (localhost:mdtancsa): deadguy
331 Password required for deadguy.
Password:
230 User deadguy logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> bye
221 Goodbye.
backup2#
>Fix:

>Release-Note:
>Audit-Trail:

From: Mike Wiacek <mikew@magpage.com>
To: <freebsd-gnats-submit@FreeBSD.org>
Cc: <mike@sentex.net>
Subject: Re: bin/28311: ftpd and sshd do not honor expired pw entries
Date: Fri, 22 Jun 2001 21:56:52 -0400 (EDT)

 Below is a patch for ftpd.c to have pam check to see if a user's password
 has expired. I'm working on a patch for openssh tonight, and should have one
 shortly. This works on 4.3-stable.
 
 Mike Wiacek
 
 
 
 *** ftpd.c      Wed Mar 21 09:40:36 2001
 --- ftpd.new    Fri Jun 22 19:33:01 2001
 ***************
 *** 1151,1156 ****
 --- 1151,1167 ----
                 if ((e = pam_get_item(pamh, PAM_USER, &item)) ==
                     PAM_SUCCESS) {
                         tmpl_user = (const char *) item;
 +
 +                       /* Ok, the user is valid, BUT we have to check
 +                        * if their account has expired. If it has, deny
 +                        * access
 +                        */
 +
 +                       if(pam_acct_mgmt(pamh, NULL) != PAM_SUCCESS){
 +                               rval = -1;
 +                               break;
 +                       }
 +
                         if (strcmp((*ppw)->pw_name, tmpl_user) != 0)
                                 *ppw = getpwnam(tmpl_user);
 
 
 
 
 
 
 --------------------------------------------------------
 UNIX was not designed to stop you from doing stupid
 things, because that would also stop you from doing
 clever things. -- Doug Gwyn
 
   Mike Wiacek
   Systems Administrator
   Magpage Internet Services
   800-250-2990 Ext 226
 

From: Mike Heffner <mheffner@novacoxmail.com>
To: Mike Tancsa <mike@sentex.net>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: RE: bin/28311: ftpd and sshd do not honor expired pw entries
Date: Sat, 23 Jun 2001 02:18:15 -0400 (EDT)

 This message is in MIME format
 --_=XFMail.1.4.7.FreeBSD:20010623021815:16441=_
 Content-Type: text/plain; charset=us-ascii
 
 You might want to check out bin/20952, it has a slightly different patch, but
 same problem. Actually, one of these should be closed.
 
 On 21-Jun-2001 Mike Tancsa wrote:
 | 
 |>Number:         28311
 |>Category:       bin
 |>Synopsis:       ftpd and sshd do not honor expired pw entries
 
 
 Mike
 
 -- 
   Mike Heffner         <mheffner@[acm.]vt.edu>
   Fredericksburg, VA       <mikeh@FreeBSD.org>
 
 
 --_=XFMail.1.4.7.FreeBSD:20010623021815:16441=_
 Content-Type: application/pgp-signature
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.0.4 (FreeBSD)
 Comment: For info see http://www.gnupg.org
 
 iD8DBQE7NDSmFokZQs3sv5kRAuj9AJ4+3vWqYdw3MaVsdsJQlp1GCs/aLwCfSfQp
 uhuN1vGwpd6jxwdoFD8xXRE=
 =4fLB
 -----END PGP SIGNATURE-----
 
 --_=XFMail.1.4.7.FreeBSD:20010623021815:16441=_--
 End of MIME message

From: Mike Wiacek <mikew@magpage.com>
To: freebsd-gnats-submit@FreeBSD.org, mike@sentex.net
Cc:  
Subject: Re: bin/28311: ftpd and sshd do not honor expired pw entries
Date: Sat, 23 Jun 2001 12:31:35 -0400

 ftpd does check for expired passwords, when not using PAM, however by
 default, ftpd does use pam, and this check is not performed. The patch
 from bin/20952 does the expiration check but it doesn't use pam to
 perform the check. The one from here, uses the abstration that pam
 provides to check for expiration, and when it is compiled without pam, 
 the pre-existing code will perform the check... Its really a matter of
 preference though :-)
 
 Mike
 
Responsible-Changed-From-To: freebsd-bugs->markm 
Responsible-Changed-By: dwmalone 
Responsible-Changed-When: Sun Jul 1 13:25:21 PDT 2001 
Responsible-Changed-Why:  
Mark has been looking after alot of the pam patches - maybe he can commit 
these fixes for ftpd and sshd. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=28311 

From: Mike Tancsa <mike@sentex.net>
To: freebsd-gnats-submit@freebsd.org, mike@sentex.net
Cc:  
Subject: Re: bin/28311: ftpd and sshd do not honor expired pw entries
Date: Thu, 27 Sep 2001 23:01:51 -0400

 The commit,
 
 From: Brian Feldman <green@FreeBSD.ORG>
 Date: Thu, 27 Sep 2001 18:33:53 -0700 (PDT)
 To: cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG
 Subject: cvs commit: src/crypto/openssh atomicio.h auth-chall.c
           auth2-chall.c canohost.h clientloop.h groupaccess.c groupaccess.h
           kexdh.c kexgex.c log.h mac.c mac.h misc.c misc.h pathnames.h
           radix.h readpass.h scp-common.c scp-common.h serverloop.h ...
 X-FreeBSD-CVS-Branch: RELENG_4
 
 has fixed the ssh problem.  Can someone commit the simple ftpd patch ?
 
 	---Mike
 --------------------------------------------------------------------
 Mike Tancsa,                          	          tel +1 519 651 3400
 Sentex Communications,     			  mike@sentex.net
 Providing Internet since 1994                    www.sentex.net
 Cambridge, Ontario Canada			  www.sentex.net/mike
 
Responsible-Changed-From-To: markm->des 
Responsible-Changed-By: markm 
Responsible-Changed-When: Wed Aug 20 03:17:22 PDT 2003 
Responsible-Changed-Why:  
Over to the PAM guy. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=28311 
State-Changed-From-To: open->closed 
State-Changed-By: des 
State-Changed-When: Mon Jan 26 13:18:49 PST 2004 
State-Changed-Why:  
fixed, thanks. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=28311 
>Unformatted:
