Re: Password Ageing
From: Bob Rasmussen (ras_at_anzio.com)
Date: Wed, 24 Aug 2005 08:42:24 -0700 (PDT) To: "Baker, Darryl" <Darryl.Baker@gedas.com>
On Tue, 23 Aug 2005, Baker, Darryl wrote:
> Our corporate security policy requires us to turn on password ageing. I'm
> trying to figure out what the effects are to openssh users. This is on
> Solaris 8 & 9 with openssh 3.9p1.
> I have several questions:
> 1) Will ssh users ever see the warnings about their password
> approaching expiration?
> 2) If the password has expired will they still be able to log in:
> a) using a password?
> b) using a key?
> 3) Would UseLogin improve any of this?
> 4) What happens with key only logins with UseLogin turned on?
I can give some partial information. The SSH protocol as defined includes
procedures for a) the server notifying the client that a password has
elapsed; and b) the client pushing a new password to the server. Note that
b) could be done at any time, not only in response to a).
I am fairly sure that OpenSSH 3.9 does not implement these procedures.
Version 4 may have one or both.
I can research this further in the actual source if that would be useful -
contact me off-list.
....Bob Rasmussen, President, Rasmussen Software, Inc.
personal e-mail: firstname.lastname@example.org
company e-mail: email@example.com
voice: (US) 503-624-0360 (9:00-6:00 Pacific Time)
fax: (US) 503-624-0760