Since I did not get much response on the subject, I hope you
don't mind me reposting it, with one additional question.
As I stated earlier (see below), even to a disabled account
you can login via ssh, and that's the problem I am trying to
solve.
The reason is this. Because I don't have usersec.h (what is it?),
HAVE_USERSEC_H stays undefined. Therefore, the section that
checks the password expiration is never executed.
1) Where does usersec.h come from?
2) Supposing no one has usersec.h, is there a way of aging
passphrase to test?
3) Any other insights?
TIA
------------------------------
Kyu Y. Lee
Solveris, Inc.
(425) 485-4357 X250
[EMAIL PROTECTED]
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Kyu
Lee
Sent: Wednesday, September 22, 1999 6:46 PM
To: [EMAIL PROTECTED]
Subject: Logging on to a disabled account
I've just installed ssh-1.2.27, sshd on HUPUX 10.20, and test ssh on
Digital UNIX V4.0E (Rev. 1091).
When I age the password (that is to force expiration) on the server, I
cannot login to the server with rlogin or login. That is expected.
However, I can still ssh to the server from a client to a user ID that is
disabled. This is not what I expected.
Upon examination of the source code, I noticed that the password expiration
test is done in a section of sshd.c when HAVE_USERSEC_H is defined.
HAVE_USERSEC_H is defined if a header file <usersec.h> is available, which
is not. config.h.in has it undefined.
Do I interpret it correctly? Besides, what good is it if one can login to
the server back-door (via ssh) when the account is disabled?
I would appreciate any thoughts on this dilemma.
Thank you in advance
