openssh-portable icon indicating copy to clipboard operation
openssh-portable copied to clipboard
verified publisher icon openssh

Fix regular users expired password reset issue

Open chmmeng opened this issue 1 year ago • 4 comments

When PASSWD_NEEDS_USERNAME is enabled and a password expires, a regular user like test will see the error: passwd: Only root can specify a user name upon login. Allowing regular users to change their own password is a reasonable requirement, so when PASSWD_NEEDS_USERNAME is enabled, a condition needs to be added to address this.

chmmeng avatar Nov 07 '24 03:11 chmmeng

On which platform did you experience this? AFAIK the existing code is correct for some of the three platforms where PASSWD_NEEDS_USERNAME is enabled (Solaris, UnixWare, OpenServer)

djmdjm avatar Nov 07 '24 03:11 djmdjm

I encountered this issue on a CentOS-like platform. Unlike Solaris, UnixWare, and OpenServer, CentOS doesn’t require PASSWD_NEEDS_USERNAME for standard users, as only root can specify a username with passwd. This difference seems to cause unexpected behavior in our environment.

chmmeng avatar Nov 10 '24 04:11 chmmeng

I'm more confused now - no Linux variant sets PASSWD_NEEDS_USERNAME in configure, are you setting it manually? If so, why?

djmdjm avatar Nov 10 '24 05:11 djmdjm

yes,we set it manually to resolve a bug. there are two users: root and sysop uid=0,and the sysop account has expired. When logging in as sysop, it prompts to change the root password instead of the sysop password. Here are the steps

  1. useradd sysop
  2. Edit /etc/passwd, change the UID and GID of the sysop user to 0, save and exit.
  3. passwd sysop to set a password for the sysop user.
  4. Log in via SSH using the sysop account.
  5. Exit the SSH session.
  6. As root, execute passwd -e sysop to expire the sysop password.
  7. SSH into the server using the sysop account. It prompts to reset the password, but the username mentioned is root, not sysop.

chmmeng avatar Nov 13 '24 09:11 chmmeng