OpenSSH password expiration

From: john.p.fox@accenture.com
Date: 09/19/02


To: focus-sun@securityfocus.com
From: john.p.fox@accenture.com
Date: Thu, 19 Sep 2002 14:40:47 -0400

I am running OpenSSH_3.4p1 on Solaris 7/8 and attempting to implement
password aging. I've seen some discussion about enabling "UseLogin" to
accomplish this with SSH, but according to the sshd_config man page,
UseLogin will disable X11 Forwarding, which I would like to avoid. So I've
attempted to enable the password expiration warning and forced password
change by compiling ssh with pam. This allows me to see password
expiration warning messages, but the forced password change after
expiration fails:

foxj@host1:~ $ ssh host2
foxj@host2's password:
Permission denied, please try again.
foxj@host2's password:
Permission denied, please try again.
foxj@host2's password:
Unable to find an authentication method
foxj@host1:~

I ran sshd with the -d flag and got the following output when attempting to
login with an expired password:

debug1: userauth-request for user foxj service ssh-connection method none
debug1: attempt 0 failures 0
debug1: Starting up PAM with username "foxj"
debug1: PAM setting rhost to "host1"
Failed none for foxj from xxx.xxx.xxx.xxx port 1603 ssh2
debug1: userauth-request for user foxj service ssh-connection method
password
debug1: attempt 1 failures 1
debug1: PAM Password authentication accepted for user "foxj"
PAM rejected by account configuration[10]: Get new authentication token

Does anyone have any insight into this issue?

Thanks,

John

This message is for the designated recipient only and may contain
privileged, proprietary, or otherwise private information. If you have
received it in error, please notify the sender immediately and delete the
original. Any other use of the email by you is prohibited.