RE: Expired password unchangeable with SFTP clients



I wanted to follow up on this because I did find the fix and it was (of
course) on the server side.

In the sshd_config, (on my system, it's in /usr/local/etc), there is now
an option to UsePAM. By default, this is turned off. It needs set to
yes and all was fine in the world for me. Keyboard-interactive was
needed for changing the password, so that bit of information was useful,
thanks.

WS_FTP Pro was unable to accommodate password changing, however. I
contacted the company and was told it was a matter of how the expiration
was handled. They were doing it "correctly" and expiring the password
at one moment, where the Unix system was expiring at a different moment.
Either way, it doesn't work for my situation. If there is anyone around
that has specific experience with WS_FTP Pro, OpenSSH, and changing
expired passwords, I'd love to hear from you and how you handled it. I
have users that would really really like to stick with WS_FTP, but
without this level of functionality, I can't recommend it.

Thanks,
Russ Oliver

-----Original Message-----
From: Bob Rasmussen [mailto:info@xxxxxxx]
Sent: Thursday, January 31, 2008 10:24 AM
To: Russell Millard Oliver
Cc: secureshell@xxxxxxxxxxxxxxxxx;
secureshell-return-9729@xxxxxxxxxxxxxxxxx
Subject: Re: Expired password unchangeable with SFTP clients

On Thu, 31 Jan 2008, Russell Millard Oliver wrote:

I am running Solaris 9, OpenSSH 4.7p1
I am trying to configure SFTP-only users that will not have shell
access. As referenced in various places, I simply create a user whose
shell is /usr/local/libexec/sftp-server.

This works great for our use and I was just about to take it from
development to production when I started building accounts and
expiring
the password. When I try to log on with various different SFTP
clients
(putty's sftp client, ssh.com's free client, WinSCP, and even WS_FTP
Pro), if the password is expired, I get authentication failure. Using
Sun's SSH server, this works fine, but we're moving to OpenSSH.

Is there a configuration I don't know about that would allow me to be
able to change an expired password? Any other suggestions?

Are you allowing keyboard-interactive authentication? In some systems
(at
least) that I have worked with, the sshd deals with an expired password
by using the keyboard-interactive mechanism to prompt the user for the
old
and then the new password. I don't know whether PuTTY, etc., handle this

in their SFTP clients. But this might be a clue for you.

Regards,
....Bob Rasmussen, President, Rasmussen Software, Inc.

personal e-mail: ras@xxxxxxxxx
company e-mail: rsi@xxxxxxxxx
voice: (US) 503-624-0360 (9:00-6:00 Pacific Time)
fax: (US) 503-624-0760
web: http://www.anzio.com