SUMMARY: Problem with XDM and password aging

From: Richard N. Cleary (rnclear@sandia.gov)
Date: Fri Feb 10 1995 - 08:43:33 CST


Managers,
        Thanks to all of you who responded to my problem and
        sorry for the delay in posting this summary.

Original question

> Managers,
>
> I just got off the phone with SUN support regarding my problem
> with XDM and password aging. They said that it is a know bug
> in Sun XDM and there are no plans to fix the bug.
>
> Our users work at Xterminals and XDM allows the user to login with
> the old password and disregards the aging information in the
> password file. Unless the user logs into the system via telnet
> or through a tty they are oblivious to the need to change their
> password.
>
> I also manage an HP network that does not have the same problem.
> When I age a password on the HP and log in via XDM on an Xterminal
> the system responds with a popup and allows me to change my
> password.
>
> My question is does anybody know of another version of XDM other
> than the release with openwindows 3.0 that will support password
> aging on my SUNOS 4.1.3 690/MP system like HP's does?
>
> I will summarize

        Thanks to

        davee@lightning.mitre.org
        ted@osiris.ac.hmc.edu
        johns@rufus.state.com.au
        David.Deaves@cbr.atr.com.au
        mona@ncd.com

-----------------------------------------------------------------

> Hi Richard,
>
> We use the X11R4 version of xdm (vs. Sun's). It allows a password to
> be expired for X-terminal users, but they don't get a chance to change it.
> That is, once the password has expired, they simply can't login to an
> x-term running xdm at all! It keeps them from ignoring the expiration, but
> not very smoothly. I'd be grateful to hear if you get a better answer!
>
> Regards,
>
> Dave Edwards
> MITRE Corp.
> davee@mitre.org
>
------------------------------------------------------

> You could change your Xsession so it executes an rlogin instead of an XTerm
> when you go through X. It's a tad annoying, but should give you the aging
> capability you want.
>
> Unfortunately, I'm not sure of the details so I can't give you a
> step-by-step.
>
> Ted
>
> --
> Ted Lilley <Ted_Lilley@hmc.edu> Computer Science Major
> Osiris System Manager Harvey Mudd College
>
>
------------------------------------------------------

> Our approach was to modify the Xsession script in /usr/local/lib/X11/xdm
> (We are using X11R5 not openwindows). Our script calls a utility to check
> the password age from an xterm session, something like:
>
> TOUCHFILE=/tmp/xinit.$$
> touch $TOUCHFILE
> xterm -e chkpasswd $TOUCHFILE
>
> if [ -f $TOUCHFILE ]
> then
> rm -f $TOUCHFILE
> # OK - proceed with xsession
> ....
> else
> # FAILED
> echo error message | xalert
> fi
>
> Chkpasswd checks the age of the passwd and if necessary prompts the user
> to change it. It removes $TOUCHFILE if there is a problem (ie, if the passwd is
> old and the user fails to change it correctly).
>
> This could be improved by doing a preliminary check before calling the xterm
> so that we dont flash up a window if the passwd age is OK.
>
> John Surveyor State Bank of NSW
> Group Treasury
> johns@state.com.au Level 40 Grosvenor Place
> (02)259-4523 225 George St Sydney NSW 2000
>
----------------------------------------------------------

>
>
> The various unixes have all had their own ways of performing
> password aging. For this reason the MIT XDM didn't even try
> to support it. Some companies (HP) have written their own XDM
> that includes passwd aging. This modification of XDM is one
> approach to the problem, I recently took a different approach
> for a customer.
>
> I wrote a GUI (Motif) passwd change program which also incorporated
> a slightly modified form of 'cracklib'. This program also has an
> extra flag that indicates only do stuff if the user's passwd has
> expired. This is then called from XSession & the exit status
> checked.
>
> The only problem is I wrote it for AIX. If you're capable of writing
> the logic to test passwd expiration on your SUN and have Motif
> libraries, give me a call. It has been my intention to make it
> publically available, but I haven't had the time.
>
>
> Dave !
>
> David B Deaves Phone: +61 6 251 1100
> Technical Consultant FAX: +61 6 251 2464
> Australian Technology Resources email: David.Deaves@cbr.atr.com.au
>

----- Begin Included Message -----

Here are some scripts to allow xdm to support password aging on SunOS.
(I don't know if it will work with NIS....) Use at your own risk ;-)

These scripts belong in your XDM home directory.

There are three scripts included:

Xstartup
doagecheck
dosetpasswd

each should be set to protection 744, or 755.

You might want to check the PATH variable.
(don't put '.' in the path...opens security holes...)

Hope this helps.

Mona
support@ncd.com
--------------------------

#!/bin/sh
#
# Xstartup
#
# This program is run as root after the user is verified
#
if [ `expr ${OPENWINHOME:=/usr/openwin}` -ne "/usr/openwin" ];then
   OPENWINHOME=/usr/openwin;export OPENWINHOME
fi

if [ `expr ${XDM:=$OPENWINHOME/lib/xdm}` -ne "$OPENWINHOME/lib/xdm" ];then
   XDM=$OPENWINHOME/lib/xdm;export XDM
fi

PATH=$PATH:$OPENWINHOME/lib/xdm;export PATH

# the following allows a way to disable logins.
# if the file '/etc/nologin' exists, do not allow logins

if [ -f /etc/nologin ]; then
   exit 1
fi

# The following prevents root from logging in via XDM.

#if [ "$USER" = "root" ]; then
# exit 1
#fi

# change the following to '1' to enable passwd age checking

CHECKAGE=1

if [ `expr ${CHECKAGE}` -ge 1 ]; then

 case "${USER}" in
  root)
   # skip this test if this is root
   # echo "`date`: This is root (no aging check)."
   :
   ;;
  *)
   . doagecheck
   stat=${?}
   if [ `expr ${stat}` -ge 1 ]; then
    echo "`date`: User ${USER} did not change passwd."
    exit 1
   fi
   ;;
 esac
fi

#XAUTHORITY=/.Xauthority
#export XAUTHORITY

#/usr/bin/X11/xhost - `hostname`

#if [ -f /usr/lib/X11/app-defaults/Xlogin ]; then
# xrdb -merge /usr/lib/X11/app-defaults/Xlogin
#fi
#/usr/bin/X11/xlogin -timeoutAction login

-----------------------

#!/bin/sh
#
# doagecheck
#
# This program attempts to deal with password aging on a Sun.
# It is recognized to be a quick-fix way to handle this issue from XDM.

# Roger Koby (NCD), 01 Mar 1993
#

SETPASSWD=0
TODAY=`date '+%m/%d/%y%n'`
JULIAN=`date '+%j'`
JULDATE=0
JULIANDIFF=0
#
# if passwd aging is not enabled for this user, exit
#
AGING=`passwd -d -a | grep ${USER}`
if [ `echo ${AGING} | wc -w` -le 1 ]; then
   echo `date`: Password AGING is disabled for ${USER}.
   exit 0
fi
#
THISYEAR=`date | awk '{FS=" "; print $6}' | cut -c3-4`
CURDATE=`echo ${AGING} | awk '{FS=" "; print $2}'`
MINAGE=`echo ${AGING} | awk '{FS=" "; print $3}'`
MAXAGE=`echo ${AGING} | awk '{FS=" "; print $4}'`

SETMON=`echo ${CURDATE} | awk '{FS="/"; print $1}'`
SETDAY=`echo ${CURDATE} | awk '{FS="/"; print $2}'`
SETYEAR=`echo ${CURDATE} | awk '{FS="/"; print $3}'`

NONLEAP="31 28 31 30 31 30 31 31 30 31 30 31"
YESLEAP="31 29 31 30 31 30 31 31 30 31 30 31"

LEAP=`cal 2 ${THISYEAR} | grep -c 29`

if [ `expr ${LEAP}` -ge 1 ]; then
   LEAP=1
   LEAPSTR=${YESLEAP}
else
   LEAP=0
   LEAPSTR=${NONLEAP}
fi
LEAPDAYS=366
NONLEAPDAYS=365

case "${USER}" in
 root)
  # don't do anything
  :
  ;;
 *)
  if [ `echo ${AGING} | wc -w` -ge 2 ]; then
   echo `date`: root: Password AGING is enabled for $USER.
   #
   #
   if [ `echo $CURDATE | grep -c "00/00/00"` -ge 1 ]; then
      echo "`date`: User ${USER}: Password is not set."
      SETPASSWD=1
   else
      loop=0
      for days in `echo ${LEAPSTR}`
      do
         loop=`expr ${loop} + 1`
         if [ `expr ${loop}` -lt `expr ${SETMON}` ]; then
            JULDATE=`expr ${JULDATE} + ${days}`
         fi
      done
      if [ `expr ${SETYEAR}` -lt `expr ${THISYEAR}` ]; then
         JULIANDIFF=`expr ${JULIAN} + (${LEAPDAYS} - ${JULDATE})`
      else
         JULIANDIFF=`expr ${JULIAN} - ${JULDATE}`
      fi
      if [ `expr ${JULIANDIFF}` -ge `expr ${MAXAGE}` -a \
           `expr ${JULIANDIFF}` -ge `expr ${MINAGE}` ]; then
         SETPASSWD=1
      fi
   fi
  fi
  ;;
esac
if [ `expr ${SETPASSWD}` -eq 0 ]; then
   echo "`date`:User ${USER}: passwd is not expired."
   exit 0
fi
#xmessage -g +200+200 \
# -fn 10x20 \
# -buttons Change_Password:3,Logout:2 \
# -default Change_Password \
# "Your password has expired."
#case "${?}" in
# 3)
  xterm -fn 10x20 \
    -g 60x8+300+300 \
    -T 'Your password has expired' \
    -e dosetpasswd
  stat=`cat ./.pswdstat`
  stat=`expr ${stat}`
  case "${stat}" in
  0)
    :
    ;;
  *)
    echo "change passwd failed: ${stat}";exit ${stat} ;;
  esac
# ;;
# *)
# echo "`date`: Logout: ${USER}";exit 1
# ;;
#esac

exit 0

# end doagecheck

-----------------------------------------------

#!/bin/sh
#
# dochangepasswd

# This script will run passwd, and detect whether the user
# successfully changed the passwd.

# Roger Koby (NCD), 01 Mar 1993
#

echo "Your password is expired. Please enter new password."

passwd $USER
stat=${?}

case "${stat}" in
  0)
   ;;
  *)
    #echo "passwd failed"
    echo `expr ${stat}` > ./.pswdstat
    echo "Please wait....logging out."
    sleep 8
    exit ${stat}
   ;;
esac
echo `expr ${stat}` > ./.pswdstat
exit ${stat}

# end dosetpasswd

----- End Included Message -----



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:10:16 CDT