OpenSSH password expiration

From: john.p.fox@accenture.com
Date: 09/19/02


To: focus-sun@securityfocus.com
From: john.p.fox@accenture.com
Date: Thu, 19 Sep 2002 14:40:47 -0400

I am running OpenSSH_3.4p1 on Solaris 7/8 and attempting to implement
password aging. I've seen some discussion about enabling "UseLogin" to
accomplish this with SSH, but according to the sshd_config man page,
UseLogin will disable X11 Forwarding, which I would like to avoid. So I've
attempted to enable the password expiration warning and forced password
change by compiling ssh with pam. This allows me to see password
expiration warning messages, but the forced password change after
expiration fails:

foxj@host1:~ $ ssh host2
foxj@host2's password:
Permission denied, please try again.
foxj@host2's password:
Permission denied, please try again.
foxj@host2's password:
Unable to find an authentication method
foxj@host1:~

I ran sshd with the -d flag and got the following output when attempting to
login with an expired password:

debug1: userauth-request for user foxj service ssh-connection method none
debug1: attempt 0 failures 0
debug1: Starting up PAM with username "foxj"
debug1: PAM setting rhost to "host1"
Failed none for foxj from xxx.xxx.xxx.xxx port 1603 ssh2
debug1: userauth-request for user foxj service ssh-connection method
password
debug1: attempt 1 failures 1
debug1: PAM Password authentication accepted for user "foxj"
PAM rejected by account configuration[10]: Get new authentication token

Does anyone have any insight into this issue?

Thanks,

John

This message is for the designated recipient only and may contain
privileged, proprietary, or otherwise private information. If you have
received it in error, please notify the sender immediately and delete the
original. Any other use of the email by you is prohibited.



Relevant Pages

  • Re: openssh doesnt query user for password
    ... debug1: PAM: initializing for "root" ... PAM: initialisation failed ... debug1: PAM: cleanup ... It looks as though there is a reliance of ssh on PAM. ...
    (comp.security.ssh)
  • Re: Confounded by PAM and OpenSSH on Solaris 10
    ... If anyone can help me understand OpenSSH and PAM and the various ... debug1: read PEM private key done: type RSA ... debug3: Trying to reverse map address 127.0.0.1. ... debug3: PAM: sshpam_query entering ...
    (comp.security.ssh)
  • RE: RE : RE : X11Forwarding problem on Solaris.
    ... The program is using the display environment variable. ... First i use ssh to connect from node2 to node4 and then I start the PROGRAM ... debug1: Connection established. ... Subject: RE: RE: X11Forwarding problem on Solaris. ...
    (SSH)
  • Update: Unable to login without password using ssh
    ... The permission on the .ssh directory was following ... I have other servers which are working. ... debug1: Rhosts Authentication disabled, originating port will not be trusted. ... debug1: sent kexinit: none ...
    (SunManagers)
  • Solaris->Fedora6 unidirectional problem
    ... I have a strange unsolved unidirectional problem using ssh from Solaris to Fedora6: ... I have a couple FC6 behind the Solaris boxes ... debug2: fd 4 setting O_NONBLOCK ... debug1: fd 4 clearing O_NONBLOCK ...
    (SSH)