RE: Expired password unchangeable with SFTP clients



I wanted to follow up on this because I did find the fix and it was (of
course) on the server side.

In the sshd_config, (on my system, it's in /usr/local/etc), there is now
an option to UsePAM. By default, this is turned off. It needs set to
yes and all was fine in the world for me. Keyboard-interactive was
needed for changing the password, so that bit of information was useful,
thanks.

WS_FTP Pro was unable to accommodate password changing, however. I
contacted the company and was told it was a matter of how the expiration
was handled. They were doing it "correctly" and expiring the password
at one moment, where the Unix system was expiring at a different moment.
Either way, it doesn't work for my situation. If there is anyone around
that has specific experience with WS_FTP Pro, OpenSSH, and changing
expired passwords, I'd love to hear from you and how you handled it. I
have users that would really really like to stick with WS_FTP, but
without this level of functionality, I can't recommend it.

Thanks,
Russ Oliver

-----Original Message-----
From: Bob Rasmussen [mailto:info@xxxxxxx]
Sent: Thursday, January 31, 2008 10:24 AM
To: Russell Millard Oliver
Cc: secureshell@xxxxxxxxxxxxxxxxx;
secureshell-return-9729@xxxxxxxxxxxxxxxxx
Subject: Re: Expired password unchangeable with SFTP clients

On Thu, 31 Jan 2008, Russell Millard Oliver wrote:

I am running Solaris 9, OpenSSH 4.7p1
I am trying to configure SFTP-only users that will not have shell
access. As referenced in various places, I simply create a user whose
shell is /usr/local/libexec/sftp-server.

This works great for our use and I was just about to take it from
development to production when I started building accounts and
expiring
the password. When I try to log on with various different SFTP
clients
(putty's sftp client, ssh.com's free client, WinSCP, and even WS_FTP
Pro), if the password is expired, I get authentication failure. Using
Sun's SSH server, this works fine, but we're moving to OpenSSH.

Is there a configuration I don't know about that would allow me to be
able to change an expired password? Any other suggestions?

Are you allowing keyboard-interactive authentication? In some systems
(at
least) that I have worked with, the sshd deals with an expired password
by using the keyboard-interactive mechanism to prompt the user for the
old
and then the new password. I don't know whether PuTTY, etc., handle this

in their SFTP clients. But this might be a clue for you.

Regards,
....Bob Rasmussen, President, Rasmussen Software, Inc.

personal e-mail: ras@xxxxxxxxx
company e-mail: rsi@xxxxxxxxx
voice: (US) 503-624-0360 (9:00-6:00 Pacific Time)
fax: (US) 503-624-0760
web: http://www.anzio.com



Relevant Pages

  • Re: Expired password unchangeable with SFTP clients
    ... When I try to log on with various different SFTP clients ... Are you allowing keyboard-interactive authentication? ... least) that I have worked with, the sshd deals with an expired password ... personal e-mail: ras@xxxxxxxxx ...
    (SSH)
  • Re: Project Server doesnt sync user accounts to Sharepoint service
    ... The com error could be caused by the WSSAdmin application service account ... has an expired password or has otherwise become locked. ... "We wrote the book on Project Server ...
    (microsoft.public.project)
  • IISADMPWD in IIS 6.0 - What changed?
    ... When a user with an expired password attempts to log on, ... The NTFS permissions for the VD are the same on both the old IIS 5 ... server and the new IIS 6 server. ... different SSL site in the domain that doesn't require authentication ...
    (microsoft.public.inetserver.iis)
  • SharePoint site not created
    ... I published a project to Project 2003 Server while I had an expired password ... This, of course, kept me from creating a Sharepoint site ... Is there any way retroactively to create the Sharepoint ... Other than saving the project as a file, deleting the project via Server ...
    (microsoft.public.project.pro_and_server)
  • Outlook 2003 Password Prompt
    ... when their password is expiring when they log in using RPC over HTTP? ... an expired password when they are gone and do not know it is expired. ...
    (microsoft.public.exchange.clients)