Re: Password Ageing

From: Darren Tucker (
Date: 08/25/05

  • Next message: Markus Friedl: "Re: Password Ageing"
    Date: Thu, 25 Aug 2005 10:20:48 +1000
    To: Bob Rasmussen <>

    Bob Rasmussen wrote:
    > On Tue, 23 Aug 2005, Baker, Darryl wrote:
    >>Our corporate security policy requires us to turn on password ageing. I'm
    >>trying to figure out what the effects are to openssh users. This is on
    >>Solaris 8 & 9 with openssh 3.9p1.
    >>I have several questions:

    Answers from memory. This has changed quite a bit over the last couple
    of years so some details may vary with versions:

    >> 1) Will ssh users ever see the warnings about their password
    >>approaching expiration?

    With PAM enabled: yes. With PAM disabled: for password authentications

    >> 2) If the password has expired will they still be able to log in:
    >> a) using a password?

    Yes, but it will force them to change it.

    >> b) using a key?

    With PAM enabled: it will force them to change it. Without, it will
    just permit the login.

    >> 3) Would UseLogin improve any of this?

    I don't think so, but I've not tried it.

    >> 4) What happens with key only logins with UseLogin turned on?

    UseLogin is used the same way for pubkey and password logins so I don't
    think it would change anything (but again, I've not tried it).

    > I can give some partial information. The SSH protocol as defined includes
    > procedures for a) the server notifying the client that a password has
    > elapsed;

    Specifically: the SSH v2 protocol does. If you're referring to
    PASSWD_CHANGEREQ then OpenSSH doesn't implement that. If you're
    referring to USERAUTH_BANNER, then OpenSSH does use that if PAM's
    account checks failed (eg password expired too long).

    > and b) the client pushing a new password to the server. Note that
    > b) could be done at any time, not only in response to a).

    You're referring to the "change" flag is password authentication? No
    version of OpenSSH implements that.

    It does implement pam_chauthtok() via keyboard-interactive and the
    session when privsep=no, and by running /usr/bin/passwd for other cases,
    both with and without PAM.

    Darren Tucker (dtucker at
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
        Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.

  • Next message: Markus Friedl: "Re: Password Ageing"

    Relevant Pages

    • Re: r228152: anyone got the None cipher working with base OpenSSH?
      ... Sorry I should be more clear (I woke up ~15 minutes ago). ... I'm referring ... to the fact that OpenSSH build points in FreeBSD are ""scattered all ...
    • Re: ssh and openssh - opinions
      ... What 'bad security flaws' are you referring to? ... The CRC32 bug was fixed in OpenSSH 2.3 from November 2000. ...
    • Re: tcsetpgrp()
      ... Which SSH implementation and version thereof are you running? ... On QNX the pty allocation process apparently ... In the next release of OpenSSH, ... Good judgement comes with experience. ...
    • Re: SSH Connecting through Firewall
      ... >client to use HTTPS or FTP proxy. ... There is no such option in the OpenSSH ... Good judgement comes with experience. ...
    • Re: Adding "X11UseLocalhost no" to /etc/ssh/sshd_config breaks x forwarding
      ... telnet: Unable to connect to remote host: Connection refused ... has been turned off either by Openssh or by Red Hat. ... feature or a bug I am unsure, there are warnings in the man page ... Good judgement comes with experience. ...