[Bug 1193] Open ssh will not allow changing of passwords on usernames greater than 8 characters.

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Fri Jun 9 01:12:03 EST 2006


------- Comment #1 from dtucker at zip.com.au  2006-06-09 01:12 -------
I believe this is a bug or limitation in Solaris' "passwd" command
(which is what sshd invokes under the covers in this situation) which
occurs when the username is more than 8 characters, and that if you run
"/bin/passwd abcdefghi" on the command line you will see the same

I can suggest the following things to try:

1) Don't have usernames more than 8 characters long on Solaris (or at
least, that version), since it does not appear to be supported.

2) configure sshd to only allow authentication via challenge-response
authentication ("PasswordAuthentication no" and
"ChallengeResponseAuthentication yes") which will allow sshd to change
expired passwords by calling pam_chauthtok() directly (assuming this
works, I have not tried it under those conditions).  This is more
likely to work with the current OpenSSH version (4.3p2) than 3.9p1.

3) Configure sshd with UsePrivilegeSeparation=no.  This will mean that
sshd will have the privileges required to call pam_chauthtok() rather
than execute /bin/passwd.  (again, if it works as I've not tried it)

4) ask Sun to fix /bin/passwd to work properly with usernames longer
than 8 chars.

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the openssh-bugs mailing list