From owner-freebsd-hackers Tue Mar 18 14:45:30 2003 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EF9B437B404 for ; Tue, 18 Mar 2003 14:45:28 -0800 (PST) Received: from rwcrmhc51.attbi.com (rwcrmhc51.attbi.com [204.127.198.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 757A543FAF for ; Tue, 18 Mar 2003 14:45:28 -0800 (PST) (envelope-from julian@elischer.org) Received: from interjet.elischer.org (12-232-168-4.client.attbi.com[12.232.168.4]) by rwcrmhc51.attbi.com (rwcrmhc51) with ESMTP id <2003031822452705100cqltle>; Tue, 18 Mar 2003 22:45:28 +0000 Received: from localhost (localhost.elischer.org [127.0.0.1]) by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id OAA81138; Tue, 18 Mar 2003 14:45:26 -0800 (PST) Date: Tue, 18 Mar 2003 14:45:25 -0800 (PST) From: Julian Elischer To: Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?= Cc: hackers@freebsd.org Subject: Re: rumour of password aging failure in 4.7/4.8RC In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, 18 Mar 2003, Dag-Erling [iso-8859-1] Sm=F8rgrav wrote: > Julian Elischer writes: > > So, the fix would be to go back to an old version of ssh? >=20 > Yes, but you'd have to go back to a version with known remotely > exploitable vulnerabilities. >=20 > Since this is a problem for you and your customers, I will look into > getting password changing to work, at least for PAM authentication, > when I import 3.6 (which should be out in a few weeks). Ok so we'll have to miss 4.8. Does making it work for PAM allow it to work for ssh? That's where they are worried the most. >=20 > DES > --=20 > Dag-Erling Sm=F8rgrav - des@ofug.org THANKS! The banks are all getting paranoid at the though of an organised break-in attempt from "unfriendly" sources and it trickles down to us.. The other thing they are on about is "3 tries and you are out" password lockouts. /usr/src/contrib/libpam/modules/pam_tally.c is what they want. We're trying to 'resurect' it and see if it still works with 4.8. is there a similar file for the new PAM code? (or another way of doing it?)=20 Are old and new PAM modules in any way compatible? If we wrote one that ran on 4.x would we be able to continue to run int (even with a recompile) when we switch to 5.3? =20 >=20 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message