Re: password expire and sshd doesn't allow ppl to change it
On Sat, 22 Sep 2001 03:33:31 -0800 Ethan Benson [EMAIL PROTECTED] wrote: On Sat, Sep 22, 2001 at 10:30:53AM +0200, Luca Gibelli wrote: I created a new account for testing purposes and put the following limits on its password age: known bug in potato's ssh, password expiration simply doesn't work with it, as soon as it expires ssh denies access flat out. your only option is either upgrading to woody or backporting the woody ssh package to potato (probably not very hard at all). i recommend backporting the sid ssh packages to potato. if someone hasn't already done that... I've already done that, use: deb http://people.easter-eggs.org/~manu/debian/ ssh/ in /etc/apt/sources.list it contains also a backport of openssl095a wich is teh minimum required for compiling ssh 2.9 This is the sid package with chroot patch applied and with a few modifications on default config: sshd_config: PermitRootLogin: no debconf: by default propose to install nosetuid root Manu. -- Easter-eggsSpécialiste GNU/Linux 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76 mailto:[EMAIL PROTECTED] -http://www.easter-eggs.com PGP signature
Re: password expire and sshd doesn't allow ppl to change it
In nixu.lists.debian.security, you wrote: --1gsfN/+pS0/2Ta7u Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Sep 22, 2001 at 05:55:01PM +0300, Ilkka Tuohela wrote: It resulted in me getting the whole OpenSSH, OpenSSL and zlib, compiling and putting it under a new directory /usr/local/noapt/ to avoid collisions with apt-get. Is there a clean way of upgrading the SSH package and avoid the conflicts? =20 Add a deb-src line to /etc/apt/sources.list, pointing to unstable, something like: deb-src ftp://ftp.fti.debian.org/debian-non-US unstable non-US/main non-US/contrib non-US/non-free you don't need contrib and non-free. Then, do=20 apt-get update apt-get -b source ssh =20 Quite likely the build fails first if you don't have all the libraries and -dev packets the build needs. You can continue in openssh-2.9b2 directory with dpkg-buildpackage, for example. grep ^Build debian/control Yeah. You can't do this before you have unpacked the source, though... how do I see source package descriptions with apt-cache? I didn't see any command there to do this, like apt-cache showpkg, apt-get build-dep doesn't exist in potato's apt. Anyway, apt-get source package dpkg-buildpackage manually works quite well and then you can of course check control file. and install all listed build-depends packages. This leaves you with custom ssh packages: this is the only way until=20 the new version is backported. which will never happen, except possibly by someone doing it unofficially. Quite true. Only thing which could cause this is that there were a severe security flaw found with version of ssh for potato, for which a patch were not available and only way to fix the bug were to upgrade to the 2.9 version. This is really unprobable, anyway. One thing users of these custom packages must remember is that their system now has something which is not supported: if a security flaw were found from openssh 2.9xx which doesn't exist in potato version the user must compile a new version by themselves, it's never upgraded with apt-get upgrade from official servers. -- /\ |Ilkka Tuohela / Nixu Oy \ / ASCII Ribbon Campaign |[EMAIL PROTECTED] X Against HTML Mail |+358-40-5233174 / \ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: password expire and sshd doesn't allow ppl to change it
On Sun, Sep 23, 2001 at 06:39:37PM +0300, Ilkka Tuohela wrote: Quite true. Only thing which could cause this is that there were a severe security flaw found with version of ssh for potato, for which a patch were not available and only way to fix the bug were to upgrade to the 2.9 version. This is really unprobable, anyway. nope the security team would backport the fix. the only time they don't do that is if the fix is so complicated and ingrained in the 2.x series that backporting would be more risky and problematic then a new upstream. about the only package that quailifies there is gnupg, the security team doesn't backport fixes to that package generally, but the new upstreams only fix the security holes anyway so backporting them would be roughly equivilent to new upstream minus new version number.. One thing users of these custom packages must remember is that their system now has something which is not supported: if a security flaw were found from openssh 2.9xx which doesn't exist in potato version the user must compile a new version by themselves, it's never upgraded with apt-get upgrade from official servers. indeed. you have to be cautious with how many packages you backport and start monitoring them yourselves. though keeping an eye on security problems is a good idea anyway since debian sometimes doesn't make security updates, or takes wy to long. proposed-updates has a potato libc update with only a security related change thats been there for months, also there is a procmail in proposed-updates fixing a signal vulnerability (root hole most likely since its setuid root by default), its been there for quite a while now. w3m has a hole thats only been silently fixed in i386 security.debian.org (perhaps others, powerpc has an uninstallable update). -- Ethan Benson http://www.alaska.net/~erbenson/ PGP signature
Re: password expire and sshd doesn't allow ppl to change it
On Sat, 22 Sep 2001 03:33:31 -0800 Ethan Benson [EMAIL PROTECTED] wrote: On Sat, Sep 22, 2001 at 10:30:53AM +0200, Luca Gibelli wrote: I created a new account for testing purposes and put the following limits on its password age: known bug in potato's ssh, password expiration simply doesn't work with it, as soon as it expires ssh denies access flat out. your only option is either upgrading to woody or backporting the woody ssh package to potato (probably not very hard at all). i recommend backporting the sid ssh packages to potato. if someone hasn't already done that... I've already done that, use: deb http://people.easter-eggs.org/~manu/debian/ ssh/ in /etc/apt/sources.list it contains also a backport of openssl095a wich is teh minimum required for compiling ssh 2.9 This is the sid package with chroot patch applied and with a few modifications on default config: sshd_config: PermitRootLogin: no debconf: by default propose to install nosetuid root Manu. -- Easter-eggsSpécialiste GNU/Linux 44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité Phone: +33 (0) 1 43 35 00 37- Fax: +33 (0) 1 41 35 00 76 mailto:[EMAIL PROTECTED] -http://www.easter-eggs.com pgphwaT59oFnN.pgp Description: PGP signature
Re: password expire and sshd doesn't allow ppl to change it
In nixu.lists.debian.security, you wrote: --1gsfN/+pS0/2Ta7u Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sat, Sep 22, 2001 at 05:55:01PM +0300, Ilkka Tuohela wrote: It resulted in me getting the whole OpenSSH, OpenSSL and zlib, compiling and putting it under a new directory /usr/local/noapt/ to avoid collisions with apt-get. Is there a clean way of upgrading the SSH package and avoid the conflicts? =20 Add a deb-src line to /etc/apt/sources.list, pointing to unstable, something like: deb-src ftp://ftp.fti.debian.org/debian-non-US unstable non-US/main non-US/contrib non-US/non-free you don't need contrib and non-free. Then, do=20 apt-get update apt-get -b source ssh =20 Quite likely the build fails first if you don't have all the libraries and -dev packets the build needs. You can continue in openssh-2.9b2 directory with dpkg-buildpackage, for example. grep ^Build debian/control Yeah. You can't do this before you have unpacked the source, though... how do I see source package descriptions with apt-cache? I didn't see any command there to do this, like apt-cache showpkg, apt-get build-dep doesn't exist in potato's apt. Anyway, apt-get source package dpkg-buildpackage manually works quite well and then you can of course check control file. and install all listed build-depends packages. This leaves you with custom ssh packages: this is the only way until=20 the new version is backported. which will never happen, except possibly by someone doing it unofficially. Quite true. Only thing which could cause this is that there were a severe security flaw found with version of ssh for potato, for which a patch were not available and only way to fix the bug were to upgrade to the 2.9 version. This is really unprobable, anyway. One thing users of these custom packages must remember is that their system now has something which is not supported: if a security flaw were found from openssh 2.9xx which doesn't exist in potato version the user must compile a new version by themselves, it's never upgraded with apt-get upgrade from official servers. -- /\ |Ilkka Tuohela / Nixu Oy \ / ASCII Ribbon Campaign |[EMAIL PROTECTED] X Against HTML Mail |+358-40-5233174 / \
Re: password expire and sshd doesn't allow ppl to change it
On Sun, Sep 23, 2001 at 06:39:37PM +0300, Ilkka Tuohela wrote: Quite true. Only thing which could cause this is that there were a severe security flaw found with version of ssh for potato, for which a patch were not available and only way to fix the bug were to upgrade to the 2.9 version. This is really unprobable, anyway. nope the security team would backport the fix. the only time they don't do that is if the fix is so complicated and ingrained in the 2.x series that backporting would be more risky and problematic then a new upstream. about the only package that quailifies there is gnupg, the security team doesn't backport fixes to that package generally, but the new upstreams only fix the security holes anyway so backporting them would be roughly equivilent to new upstream minus new version number.. One thing users of these custom packages must remember is that their system now has something which is not supported: if a security flaw were found from openssh 2.9xx which doesn't exist in potato version the user must compile a new version by themselves, it's never upgraded with apt-get upgrade from official servers. indeed. you have to be cautious with how many packages you backport and start monitoring them yourselves. though keeping an eye on security problems is a good idea anyway since debian sometimes doesn't make security updates, or takes wy to long. proposed-updates has a potato libc update with only a security related change thats been there for months, also there is a procmail in proposed-updates fixing a signal vulnerability (root hole most likely since its setuid root by default), its been there for quite a while now. w3m has a hole thats only been silently fixed in i386 security.debian.org (perhaps others, powerpc has an uninstallable update). -- Ethan Benson http://www.alaska.net/~erbenson/ pgp8hBYfHOj1y.pgp Description: PGP signature
password expire and sshd doesn't allow ppl to change it
I created a new account for testing purposes and put the following limits on its password age: Minimum:0 Maximum:180 Warning:0 Inactive: 0 Last Change:Mar 23, 2001 Password Expires: Sep 19, 2001 Password Inactive: Never Account Expires:Never (Please note that Inactive is set to 0) Today is Sep 22. I tried to login via ssh and this is what happens: root@mosquito:/# ssh [EMAIL PROTECTED] Enter passphrase for RSA key 'mosquito 11-Ott-2k': [EMAIL PROTECTED]'s password: Permission denied, please try again. [EMAIL PROTECTED]'s password: If I use telnet (I enabled it only for this test) everything seems to work: Escape character is '^]'. Linux C. - Debian GNU/Linux 2.2 karma karma login: bofh Password: You are required to change your password immediately (password aged) Changing password for bofh (current) UNIX password: This is what I can see from auth.log: Sep 22 10:23:04 karma sshd[13232]: password expired by aging for bofh, continuing Sep 22 10:23:08 karma sshd[13232]: Accepted rsa for bofh from 151.28.120.93 port 33672 Sep 22 10:23:08 karma PAM_unix[13232]: expired password for user bofh (password aged) Sep 22 10:23:08 karma sshd[13232]: PAM rejected by account configuration: Authentication token is no longer valid; new one required. Sep 22 10:23:08 karma sshd[13232]: Faking authloop for illegal user bofh from 151.28.120.93 port 33672 Sep 22 10:23:14 karma sshd[13232]: Connection closed by 151.28.120.93 Sep 22 10:23:14 karma PAM_unix[13232]: (ssh) session closed for user bofh I tried doing the same thing on a woody system and it worked just fine. Is it a problem which affects only potato? What shall I do to fix it (except upgrading to woody...) ? -- Luca Gibelli ([EMAIL PROTECTED] || [EMAIL PROTECTED]) PGP Fingerprint: EC7C D6D2 D754 89F8 BDE8 8924 6341 3B07 C2F3 9102 PGP Key Available on: Key Servers || http://gibelli.oltrelinux.com/gibelli.asc BOFH excuse 179: The lines are all busy (busied out, that is -- why let them in to begin with?). PGP signature
Re: password expire and sshd doesn't allow ppl to change it
On Sat, Sep 22, 2001 at 10:30:53AM +0200, Luca Gibelli wrote: I created a new account for testing purposes and put the following limits on its password age: known bug in potato's ssh, password expiration simply doesn't work with it, as soon as it expires ssh denies access flat out. your only option is either upgrading to woody or backporting the woody ssh package to potato (probably not very hard at all). i recommend backporting the sid ssh packages to potato. if someone hasn't already done that... -- Ethan Benson http://www.alaska.net/~erbenson/ PGP signature
Re: password expire and sshd doesn't allow ppl to change it
On Sat, Sep 22, 2001 at 03:29:47PM +0200, Oyvind A. Holm wrote: In fact I think the OpenSSH distributed with potato should be upgraded. I could not use the version shipped with potato as it did not understand protocol 2 which is a must. When trying to install OpenSSH-2.2p2 (I think) from woody, dependencies with libc6-dev and locales broke, they expect libc6 = 2.1.3-18, but OpenSSH needs libc6-2.2.4-1. Quite weird it needs just that specific version - should not the newer versions also work? Well, it messed up apt-get entirely, no packages linked against newwer libc won't run against older versions of libc (usually). and as a very new Debian user (less than a week) not too used to apt-get and dpkg I just reinstalled the whole thing. woody binary packages are not compatible with potato. deal with it. thats why i said *backport* the woody packages to potato, that does NOT mean `download woody packages and run dpkg -i on them' It resulted in me getting the whole OpenSSH, OpenSSL and zlib, compiling and putting it under a new directory /usr/local/noapt/ to avoid collisions with apt-get. you don't need to do that. Is there a clean way of upgrading the SSH package and avoid the conflicts? yes compile the woody source package on potato, then it will be linked against potato libc instead of woody libc. sometimes you have to do some changes to the packages debian build process since some packages use dpkg features not present in potato, or use new features in debhelper not present in potato. anyone with basic shell scripting and a bit of Makefile experience should be able to handle that with not much difficulty. -- Ethan Benson http://www.alaska.net/~erbenson/ PGP signature
Re: password expire and sshd doesn't allow ppl to change it
It resulted in me getting the whole OpenSSH, OpenSSL and zlib, compiling and putting it under a new directory /usr/local/noapt/ to avoid collisions with apt-get. Is there a clean way of upgrading the SSH package and avoid the conflicts? Add a deb-src line to /etc/apt/sources.list, pointing to unstable, something like: deb-src ftp://ftp.fti.debian.org/debian-non-US unstable non-US/main non-US/contrib non-US/non-free Then, do apt-get update apt-get -b source ssh Quite likely the build fails first if you don't have all the libraries and -dev packets the build needs. You can continue in openssh-2.9b2 directory with dpkg-buildpackage, for example. This leaves you with custom ssh packages: this is the only way until the new version is backported. -- /\ |Ilkka Tuohela / Nixu Oy \ / ASCII Ribbon Campaign |[EMAIL PROTECTED] X Against HTML Mail |+358-40-5233174 / \ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: password expire and sshd doesn't allow ppl to change it
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Oyvind == Oyvind A Holm [EMAIL PROTECTED] writes: Oyvind In fact I think the OpenSSH distributed with potato should be Oyvind upgraded. I could not use the version shipped with potato as it Oyvind did not understand protocol 2 which is a must. Note: just because it is a must for you doesn't mean that you have the right to insist that the version in potato gets upgraded. They only upgrade potato packages to fix security problems, and maybe serious bugs too. There are plenty of packages in potato that are missing features that people need. If you need a newer version, either upgrade to woody or sid, or compile from source. Oyvind When trying to install OpenSSH-2.2p2 (I think) from woody, Oyvind dependencies with libc6-dev and locales broke, they expect libc6 Oyvind = 2.1.3-18, but OpenSSH needs libc6-2.2.4-1. It's generally a bad idea (as you found out) to install woody packages on a potato box. Compile the source instead. Or upgrade the whole system to woody. Or sid. Oyvind It resulted in me getting the whole OpenSSH, OpenSSL and zlib, Oyvind compiling and putting it under a new directory /usr/local/noapt/ Oyvind to avoid collisions with apt-get. What you want to do is: As root: # apt-get build-dep openssh And you may need to apt-get install fakeroot, if you haven't already. Then as a normal user (in your home directory, or a subdirectory thereof): # apt-get source openssh # cd openssh-version number # fakeroot debian/rules binary # cd .. And then, as root: # dpkg -i all the .deb files that it created If problems arise in the build process, you may need to muck around in the debian/rules script, or some other things in the debian directory. Of course, this is all assuming that you have the appropriate source lines in your sources.list file. - -- Hubert Chan [EMAIL PROTECTED] - http://www.geocities.com/hubertchan/ PGP/GnuPG key: 1024D/71FDA37F Fingerprint: 6CC5 822D 2E55 494C 81DD 6F2C 6518 54DF 71FD A37F Key available at wwwkeys.pgp.net. Please encrypt *all* e-mail to me. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7rKrZZRhU33H9o38RAl5SAJ9f57d7Z0QyDZdjOrs9G7dE2vneegCfVY5G vPDMLzddM+NpF6XzlJwAGiM= =yTQl -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: password expire and sshd doesn't allow ppl to change it
On Sat, Sep 22, 2001 at 05:55:01PM +0300, Ilkka Tuohela wrote: It resulted in me getting the whole OpenSSH, OpenSSL and zlib, compiling and putting it under a new directory /usr/local/noapt/ to avoid collisions with apt-get. Is there a clean way of upgrading the SSH package and avoid the conflicts? Add a deb-src line to /etc/apt/sources.list, pointing to unstable, something like: deb-src ftp://ftp.fti.debian.org/debian-non-US unstable non-US/main non-US/contrib non-US/non-free you don't need contrib and non-free. Then, do apt-get update apt-get -b source ssh Quite likely the build fails first if you don't have all the libraries and -dev packets the build needs. You can continue in openssh-2.9b2 directory with dpkg-buildpackage, for example. grep ^Build debian/control and install all listed build-depends packages. This leaves you with custom ssh packages: this is the only way until the new version is backported. which will never happen, except possibly by someone doing it unofficially. -- Ethan Benson http://www.alaska.net/~erbenson/ PGP signature
Re: password expire and sshd doesn't allow ppl to change it
On Sat, Sep 22, 2001 at 11:14:43AM -0400, Hubert Chan wrote: As root: # apt-get build-dep openssh that doesn't work on pototo's apt. you have to do it the old way: cd openssh-* grep ^Build debian/control look at list and apt-get install each package. -- Ethan Benson http://www.alaska.net/~erbenson/ PGP signature
Re: password expire and sshd doesn't allow ppl to change it
Il giorno Sat, Sep 22 in un momento di profonda ispirazione Einar Karttunen scrisse riguardo a Re: password expire and sshd doesn't allow ppl to change it : How do the pam configuration files for sshd and telnetd (in /etc/pam.d/) look like? Are they identical, or has one stuff the other doesn't? This is what I have in my /etc/pam.d files: passwd: password required pam_cracklib.so retry=3 minlen=6 difok=3 password required pam_unix.so use_authtok md5 login: auth requisite pam_securetty.so auth required pam_nologin.so auth required pam_env.so auth required pam_unix.so accountrequired pam_unix.so sessionrequired pam_unix.so sessionrequired pam_limits.so sessionoptional pam_lastlog.so sessionoptional pam_motd.so sessionoptional pam_mail.so standard password required pam_cracklib.so retry=3 minlen=6 difok=3 password required pam_unix.so use_authtok md5 ssh: auth required pam_nologin.so auth required pam_unix.so auth required pam_env.so # [1] accountrequired pam_unix.so sessionrequired pam_unix.so sessionoptional pam_lastlog.so # [1] sessionoptional pam_motd.so # [1] sessionoptional pam_mail.so standard # [1] sessionrequired pam_limits.so password required pam_cracklib.so retry=3 minlen=6 difok=3 password required pam_unix.so use_authtok md5 Thank you for your help. -- Luca Gibelli ([EMAIL PROTECTED] || [EMAIL PROTECTED]) PGP Fingerprint: EC7C D6D2 D754 89F8 BDE8 8924 6341 3B07 C2F3 9102 PGP Key Available on: Key Servers || http://gibelli.oltrelinux.com/gibelli.asc BOFH excuse 321: it has Intel Inside PGP signature
password expire and sshd doesn't allow ppl to change it
I created a new account for testing purposes and put the following limits on its password age: Minimum:0 Maximum:180 Warning:0 Inactive: 0 Last Change:Mar 23, 2001 Password Expires: Sep 19, 2001 Password Inactive: Never Account Expires:Never (Please note that Inactive is set to 0) Today is Sep 22. I tried to login via ssh and this is what happens: [EMAIL PROTECTED]:/# ssh [EMAIL PROTECTED] Enter passphrase for RSA key 'mosquito 11-Ott-2k': [EMAIL PROTECTED]'s password: Permission denied, please try again. [EMAIL PROTECTED]'s password: If I use telnet (I enabled it only for this test) everything seems to work: Escape character is '^]'. Linux C. - Debian GNU/Linux 2.2 karma karma login: bofh Password: You are required to change your password immediately (password aged) Changing password for bofh (current) UNIX password: This is what I can see from auth.log: Sep 22 10:23:04 karma sshd[13232]: password expired by aging for bofh, continuing Sep 22 10:23:08 karma sshd[13232]: Accepted rsa for bofh from 151.28.120.93 port 33672 Sep 22 10:23:08 karma PAM_unix[13232]: expired password for user bofh (password aged) Sep 22 10:23:08 karma sshd[13232]: PAM rejected by account configuration: Authentication token is no longer valid; new one required. Sep 22 10:23:08 karma sshd[13232]: Faking authloop for illegal user bofh from 151.28.120.93 port 33672 Sep 22 10:23:14 karma sshd[13232]: Connection closed by 151.28.120.93 Sep 22 10:23:14 karma PAM_unix[13232]: (ssh) session closed for user bofh I tried doing the same thing on a woody system and it worked just fine. Is it a problem which affects only potato? What shall I do to fix it (except upgrading to woody...) ? -- Luca Gibelli ([EMAIL PROTECTED] || [EMAIL PROTECTED]) PGP Fingerprint: EC7C D6D2 D754 89F8 BDE8 8924 6341 3B07 C2F3 9102 PGP Key Available on: Key Servers || http://gibelli.oltrelinux.com/gibelli.asc BOFH excuse 179: The lines are all busy (busied out, that is -- why let them in to begin with?). pgpw26CYN3LpS.pgp Description: PGP signature
Re: password expire and sshd doesn't allow ppl to change it
Il giorno Sat, Sep 22 in un momento di profonda ispirazione Einar Karttunen scrisse riguardo a Re: password expire and sshd doesn't allow ppl to change it : How do the pam configuration files for sshd and telnetd (in /etc/pam.d/) look like? Are they identical, or has one stuff the other doesn't? This is what I have in my /etc/pam.d files: passwd: password required pam_cracklib.so retry=3 minlen=6 difok=3 password required pam_unix.so use_authtok md5 login: auth requisite pam_securetty.so auth required pam_nologin.so auth required pam_env.so auth required pam_unix.so accountrequired pam_unix.so sessionrequired pam_unix.so sessionrequired pam_limits.so sessionoptional pam_lastlog.so sessionoptional pam_motd.so sessionoptional pam_mail.so standard password required pam_cracklib.so retry=3 minlen=6 difok=3 password required pam_unix.so use_authtok md5 ssh: auth required pam_nologin.so auth required pam_unix.so auth required pam_env.so # [1] accountrequired pam_unix.so sessionrequired pam_unix.so sessionoptional pam_lastlog.so # [1] sessionoptional pam_motd.so # [1] sessionoptional pam_mail.so standard # [1] sessionrequired pam_limits.so password required pam_cracklib.so retry=3 minlen=6 difok=3 password required pam_unix.so use_authtok md5 Thank you for your help. -- Luca Gibelli ([EMAIL PROTECTED] || [EMAIL PROTECTED]) PGP Fingerprint: EC7C D6D2 D754 89F8 BDE8 8924 6341 3B07 C2F3 9102 PGP Key Available on: Key Servers || http://gibelli.oltrelinux.com/gibelli.asc BOFH excuse 321: it has Intel Inside pgperFM7iF7mu.pgp Description: PGP signature
Re: password expire and sshd doesn't allow ppl to change it
On Sat, Sep 22, 2001 at 10:30:53AM +0200, Luca Gibelli wrote: I created a new account for testing purposes and put the following limits on its password age: known bug in potato's ssh, password expiration simply doesn't work with it, as soon as it expires ssh denies access flat out. your only option is either upgrading to woody or backporting the woody ssh package to potato (probably not very hard at all). i recommend backporting the sid ssh packages to potato. if someone hasn't already done that... -- Ethan Benson http://www.alaska.net/~erbenson/ pgpIZsQ3n3yPs.pgp Description: PGP signature
Re: password expire and sshd doesn't allow ppl to change it
On 2001-09-22 03:33 Ethan Benson wrote: On Sat, Sep 22, 2001 at 10:30:53AM +0200, Luca Gibelli wrote: I created a new account for testing purposes and put the following limits on its password age: known bug in potato's ssh, password expiration simply doesn't work with it, as soon as it expires ssh denies access flat out. your only option is either upgrading to woody or backporting the woody ssh package to potato (probably not very hard at all). i recommend backporting the sid ssh packages to potato. if someone hasn't already done that... In fact I think the OpenSSH distributed with potato should be upgraded. I could not use the version shipped with potato as it did not understand protocol 2 which is a must. When trying to install OpenSSH-2.2p2 (I think) from woody, dependencies with libc6-dev and locales broke, they expect libc6 = 2.1.3-18, but OpenSSH needs libc6-2.2.4-1. Quite weird it needs just that specific version - should not the newer versions also work? Well, it messed up apt-get entirely, and as a very new Debian user (less than a week) not too used to apt-get and dpkg I just reinstalled the whole thing. It resulted in me getting the whole OpenSSH, OpenSSL and zlib, compiling and putting it under a new directory /usr/local/noapt/ to avoid collisions with apt-get. Is there a clean way of upgrading the SSH package and avoid the conflicts? Apart from that, Debian is just GREAT. I've been using RedHat since 1997 or something, but that has undoubtedly changed. I like the philosophy of not moving the bleeding-edge stuff into the stable release before one's sure it WORKS. And Debian does that. Having that in mind, I disagree a bit with myself when asking for an SSH upgrade. :-) When upgrading from RedHat 6.1 (If it works don't fix it) I had to examine their 7.1 release closely due to their unstable gcc episode in 7.0. Finding they included the (in my opinion) unstable 2.4.something kernel, the choice was easy. It had to be Debian. And it will stay that way. - Øyvind +===+ | OpenPGP: 0xAD19826C 2000-01-24 Oyvind A. Holm [EMAIL PROTECTED] | | Fingerprint: EAE5 DCA0 0626 5DAA 72F8 0435 2E2B E476 AD19 826C | +=== 2 + 2 = 5 for extremely large values of 2. +
Re: password expire and sshd doesn't allow ppl to change it
On Sat, Sep 22, 2001 at 03:29:47PM +0200, Oyvind A. Holm wrote: In fact I think the OpenSSH distributed with potato should be upgraded. I could not use the version shipped with potato as it did not understand protocol 2 which is a must. When trying to install OpenSSH-2.2p2 (I think) from woody, dependencies with libc6-dev and locales broke, they expect libc6 = 2.1.3-18, but OpenSSH needs libc6-2.2.4-1. Quite weird it needs just that specific version - should not the newer versions also work? Well, it messed up apt-get entirely, no packages linked against newwer libc won't run against older versions of libc (usually). and as a very new Debian user (less than a week) not too used to apt-get and dpkg I just reinstalled the whole thing. woody binary packages are not compatible with potato. deal with it. thats why i said *backport* the woody packages to potato, that does NOT mean `download woody packages and run dpkg -i on them' It resulted in me getting the whole OpenSSH, OpenSSL and zlib, compiling and putting it under a new directory /usr/local/noapt/ to avoid collisions with apt-get. you don't need to do that. Is there a clean way of upgrading the SSH package and avoid the conflicts? yes compile the woody source package on potato, then it will be linked against potato libc instead of woody libc. sometimes you have to do some changes to the packages debian build process since some packages use dpkg features not present in potato, or use new features in debhelper not present in potato. anyone with basic shell scripting and a bit of Makefile experience should be able to handle that with not much difficulty. -- Ethan Benson http://www.alaska.net/~erbenson/ pgpFGc1mKqqWy.pgp Description: PGP signature
Re: password expire and sshd doesn't allow ppl to change it
It resulted in me getting the whole OpenSSH, OpenSSL and zlib, compiling and putting it under a new directory /usr/local/noapt/ to avoid collisions with apt-get. Is there a clean way of upgrading the SSH package and avoid the conflicts? Add a deb-src line to /etc/apt/sources.list, pointing to unstable, something like: deb-src ftp://ftp.fti.debian.org/debian-non-US unstable non-US/main non-US/contrib non-US/non-free Then, do apt-get update apt-get -b source ssh Quite likely the build fails first if you don't have all the libraries and -dev packets the build needs. You can continue in openssh-2.9b2 directory with dpkg-buildpackage, for example. This leaves you with custom ssh packages: this is the only way until the new version is backported. -- /\ |Ilkka Tuohela / Nixu Oy \ / ASCII Ribbon Campaign |[EMAIL PROTECTED] X Against HTML Mail |+358-40-5233174 / \
Re: password expire and sshd doesn't allow ppl to change it
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Oyvind == Oyvind A Holm [EMAIL PROTECTED] writes: Oyvind In fact I think the OpenSSH distributed with potato should be Oyvind upgraded. I could not use the version shipped with potato as it Oyvind did not understand protocol 2 which is a must. Note: just because it is a must for you doesn't mean that you have the right to insist that the version in potato gets upgraded. They only upgrade potato packages to fix security problems, and maybe serious bugs too. There are plenty of packages in potato that are missing features that people need. If you need a newer version, either upgrade to woody or sid, or compile from source. Oyvind When trying to install OpenSSH-2.2p2 (I think) from woody, Oyvind dependencies with libc6-dev and locales broke, they expect libc6 Oyvind = 2.1.3-18, but OpenSSH needs libc6-2.2.4-1. It's generally a bad idea (as you found out) to install woody packages on a potato box. Compile the source instead. Or upgrade the whole system to woody. Or sid. Oyvind It resulted in me getting the whole OpenSSH, OpenSSL and zlib, Oyvind compiling and putting it under a new directory /usr/local/noapt/ Oyvind to avoid collisions with apt-get. What you want to do is: As root: # apt-get build-dep openssh And you may need to apt-get install fakeroot, if you haven't already. Then as a normal user (in your home directory, or a subdirectory thereof): # apt-get source openssh # cd openssh-version number # fakeroot debian/rules binary # cd .. And then, as root: # dpkg -i all the .deb files that it created If problems arise in the build process, you may need to muck around in the debian/rules script, or some other things in the debian directory. Of course, this is all assuming that you have the appropriate source lines in your sources.list file. - -- Hubert Chan [EMAIL PROTECTED] - http://www.geocities.com/hubertchan/ PGP/GnuPG key: 1024D/71FDA37F Fingerprint: 6CC5 822D 2E55 494C 81DD 6F2C 6518 54DF 71FD A37F Key available at wwwkeys.pgp.net. Please encrypt *all* e-mail to me. -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE7rKrZZRhU33H9o38RAl5SAJ9f57d7Z0QyDZdjOrs9G7dE2vneegCfVY5G vPDMLzddM+NpF6XzlJwAGiM= =yTQl -END PGP SIGNATURE-
Re: password expire and sshd doesn't allow ppl to change it
On Sat, Sep 22, 2001 at 05:55:01PM +0300, Ilkka Tuohela wrote: It resulted in me getting the whole OpenSSH, OpenSSL and zlib, compiling and putting it under a new directory /usr/local/noapt/ to avoid collisions with apt-get. Is there a clean way of upgrading the SSH package and avoid the conflicts? Add a deb-src line to /etc/apt/sources.list, pointing to unstable, something like: deb-src ftp://ftp.fti.debian.org/debian-non-US unstable non-US/main non-US/contrib non-US/non-free you don't need contrib and non-free. Then, do apt-get update apt-get -b source ssh Quite likely the build fails first if you don't have all the libraries and -dev packets the build needs. You can continue in openssh-2.9b2 directory with dpkg-buildpackage, for example. grep ^Build debian/control and install all listed build-depends packages. This leaves you with custom ssh packages: this is the only way until the new version is backported. which will never happen, except possibly by someone doing it unofficially. -- Ethan Benson http://www.alaska.net/~erbenson/ pgpVkJ59j1ymC.pgp Description: PGP signature
Re: password expire and sshd doesn't allow ppl to change it
On Sat, Sep 22, 2001 at 11:14:43AM -0400, Hubert Chan wrote: As root: # apt-get build-dep openssh that doesn't work on pototo's apt. you have to do it the old way: cd openssh-* grep ^Build debian/control look at list and apt-get install each package. -- Ethan Benson http://www.alaska.net/~erbenson/ pgpY0GD0P3QF1.pgp Description: PGP signature
