password expiration

[Kevin Steves]

On Thu, 14 Dec 2000, Michael Stone wrote:
: How are people handling password expirations in (non-pam) openssh?

There's currently no support for this other than via PAM.

: I'm currently running a program in the various startup scripts that
: reports to the user when their password will expire and runs passwd if
: that date is getting close. How are other people dealing with this? 
: Is anyone working on integrating password changing into openssh? Is
: doing so even desired, since it's fairly trivial to implement outside of
: openssh?

I've been slowly working on a password interface but it's not ready to
integrate yet.  It would (eventually) include a change password
capability.

: On a related note, there was a change some time ago which made
: allowed_user reject users whose password has been set to "force change"
: with passwd -f (or equivalent). (Specifically, the check for sp_lstchg
: was set to >= 0 rather than > 0). The result is that there's no way to
: force a user to change his password on next login, because doing so
: makes him unable to log in. Is there any reason not to reverse this?
: Digging throught the list archives, it looks like the change was
: suggested by stevesk at sweden.hp.com, but I don't see any discussion of
: why the new behavior is preferred.

Given that there wasn't functionality to force a user to change their
password when sp_lstchg==0, I took a paranoid stance and decided to not
let them login.  Also we don't let users with expired passwords login
either, so it was consistent with that.