- fixed security problem: when password expired the forced password change echoed the password on the screen [bug #20903].
Is the echoed password the old, expired password or the new, recently thought up password? If I understand correctly, it will show on the screen the passwords you type in, which means the old password once (if you have to type it in) and the new password twice. Bye Uli -- Ulrich Roth IMPACT Business & Technology Consulting GmbH Im Mediapark 8 / KölnTurm D-50670 Koeln Phone +49-221-93 70 80-29 Fax +49-221-93 70 80-15 E-Mail: roth@impact.de
On Wed, Nov 06, 2002 at 11:41:19AM +0100, Ulrich Roth wrote:
If I understand correctly, it will show on the screen the passwords you type in, which means the old password once (if you have to type it in) and the new password twice.
Correct. What happens is - you connect to the server - you authenticate as usual; password is not echoed - sshd prints a message "your password has expired, please change it" - the chauthtok function(s) of the PAM stack are called. The default PAM module asks you for - old password - new password - new password for confirmation All of them are visible because sshd doesn't turn off terminal echo. Not a huge problem if you ask me but worth fixing anyway. Cheers, Olaf -- Olaf Kirch | Anyone who has had to work with X.509 has probably okir@suse.de | experienced what can best be described as ---------------+ ISO water torture. -- Peter Gutmann
participants (2)
-
Olaf Kirch -
Ulrich Roth