Re: Password Ageing
From: Darren Tucker (dtucker_at_zip.com.au)
Date: Thu, 25 Aug 2005 10:20:48 +1000 To: Bob Rasmussen <firstname.lastname@example.org>
Bob Rasmussen wrote:
> On Tue, 23 Aug 2005, Baker, Darryl wrote:
>>Our corporate security policy requires us to turn on password ageing. I'm
>>trying to figure out what the effects are to openssh users. This is on
>>Solaris 8 & 9 with openssh 3.9p1.
>>I have several questions:
Answers from memory. This has changed quite a bit over the last couple
of years so some details may vary with versions:
>> 1) Will ssh users ever see the warnings about their password
With PAM enabled: yes. With PAM disabled: for password authentications
>> 2) If the password has expired will they still be able to log in:
>> a) using a password?
Yes, but it will force them to change it.
>> b) using a key?
With PAM enabled: it will force them to change it. Without, it will
just permit the login.
>> 3) Would UseLogin improve any of this?
I don't think so, but I've not tried it.
>> 4) What happens with key only logins with UseLogin turned on?
UseLogin is used the same way for pubkey and password logins so I don't
think it would change anything (but again, I've not tried it).
> I can give some partial information. The SSH protocol as defined includes
> procedures for a) the server notifying the client that a password has
Specifically: the SSH v2 protocol does. If you're referring to
PASSWD_CHANGEREQ then OpenSSH doesn't implement that. If you're
referring to USERAUTH_BANNER, then OpenSSH does use that if PAM's
account checks failed (eg password expired too long).
> and b) the client pushing a new password to the server. Note that
> b) could be done at any time, not only in response to a).
You're referring to the "change" flag is password authentication? No
version of OpenSSH implements that.
It does implement pam_chauthtok() via keyboard-interactive and the
session when privsep=no, and by running /usr/bin/passwd for other cases,
both with and without PAM.
-- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.