Re: Expired password, openssh not invoking password change.

From: Darren Tucker (dtucker_at_gate.dodgy.net.au)
Date: 11/29/05 

Date: 29 Nov 2005 03:04:49 GMT

On 2005-11-28, robbecker@gmail.com <robbecker@gmail.com> wrote:
> It looks like I've run into a problem. I can't be sure if this is a
> software bug or a designed feature with OpenSSH. I am currently
> running OpenSSH_4.2p1, OpenSSL 0.9.7i 14 Oct 2005.

It's probably a bug somewhere, although it may or may not be in OpenSSH.

[...]
> When I attempt to login I get this:
>
> login as: testuser
> Using keyboard-interactive authentication.
> Password:
> You are required to change your LDAP password immediately.
>
> Last login: Mon Nov 28 09:03:49 2005 from rbecker.motogroup.com

It looks like you are using PAM?

> It never forces me to change my password. Nothing in the logs say there
> are any problems, files not found or errors. Does anyone have any idea
> why OpenSSH isn't calling the passwd application when the users password
> is expired?

Based on the output here, I would guess it's because your pam_acct_mgmt()
is not saying that the the password is expired (ie returning PAM_SUCCESS
rather than PAM_NEW_AUTHTOK_REQD).

If you run sshd in debug mode (eg "path/to/sshd -ddde -p 2022" then connect
to port 2022) you will see what PAM is returning (look for "pam_acct_mgmt =
[something]").

If that's not it, please open an OpenSSH bug at
http://bugzilla.mindrot.org/ and we'll see what we can do to sort it out.
If you do, please include the compile-time options and any non-default
sshd_config options you used. Also, a copy of the PAM config for sshd
would also be useful, if you are in fact using PAM. 

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Relevant Pages

  • Re: Problem with Openssh 3.6.1p2
    ... > I am having a problem with openssh 3.6.1p2 where it seems to access the PAM ... > routines BEFORE it gets a password. ... Good judgement comes with experience. ...
    (SSH)
  • Re: ssh RSA authentication problem
    ... >>> Upgrade, a lot of bugs has been found in that version lately. ... >> Upgrade to the latest RedHat OpenSSH RPM, ... The code with PrivSep just happened to be the next released OpenSSH ... I don't know the details about the bug. ...
    (comp.os.linux.security)
  • Portable OpenSSH 3.8.1p1 released
    ... OpenSSH 3.8.1p1 has just been released. ... Bug #748 - Detect and workaround broken name resolution on HP-UX ... Bug #808 - Fix PAM crash on expired password when not authenticated using ... Bug #811 - Improve locked password detection across Linux variants ...
    (SSH)
  • Re: OpenSSH 3.4 bug?
    ... Where did you get your OpenSSH from? ... If you can reproduce it with the vanilla openssh source, ... bugzilla bug as previously described. ... Good judgement comes with experience. ...
    (comp.unix.aix)
  • Re: S: etiology of "Corrupted MAC on input"
    ... including software and hardware imcompatibility? ... be caused by a bug in OpenSSH, but AFAIK none have been traced to this. ... Good judgement comes with experience. ...
    (comp.security.ssh)