Re: Password Ageing

From: Bob Rasmussen (
Date: 08/24/05

  • Next message: Darren Tucker: "Re: Ssh hangs after authentication"
    Date: Wed, 24 Aug 2005 08:42:24 -0700 (PDT)
    To: "Baker, Darryl" <>

    On Tue, 23 Aug 2005, Baker, Darryl wrote:

    > Our corporate security policy requires us to turn on password ageing. I'm
    > trying to figure out what the effects are to openssh users. This is on
    > Solaris 8 & 9 with openssh 3.9p1.
    > I have several questions:
    > 1) Will ssh users ever see the warnings about their password
    > approaching expiration?
    > 2) If the password has expired will they still be able to log in:
    > a) using a password?
    > b) using a key?
    > 3) Would UseLogin improve any of this?
    > 4) What happens with key only logins with UseLogin turned on?

    I can give some partial information. The SSH protocol as defined includes
    procedures for a) the server notifying the client that a password has
    elapsed; and b) the client pushing a new password to the server. Note that
    b) could be done at any time, not only in response to a).

    I am fairly sure that OpenSSH 3.9 does not implement these procedures.
    Version 4 may have one or both.

    I can research this further in the actual source if that would be useful -
    contact me off-list.

    ....Bob Rasmussen, President, Rasmussen Software, Inc.

    personal e-mail:
     company e-mail:
              voice: (US) 503-624-0360 (9:00-6:00 Pacific Time)
                fax: (US) 503-624-0760

  • Next message: Darren Tucker: "Re: Ssh hangs after authentication"