password aging problem with ssh protocol 2

Larry_Bamford at ao.uscourts.gov Larry_Bamford at ao.uscourts.gov
Fri Aug 30 03:02:08 EST 2002 

I'd like to add to this discussion, since I've had a similar problem.  I 
use OpenSSH 3.4p1 on Solaris 8, 7, 2.6, and 2.5.1.  Most of the time I log 
in successfully using public key authentication with no password challenge 
(private key already cached).  When the last change date for the password 
is set to 0 or is otherwise expired, I get this:

local$ ssh remote
larry at remote's password: <enter correct password>
Permission denied, please try again:
larry at remote's password:  <enter correct password again>
Received disconnect from <remote IP address>: 2: Too many authentication 
failures for larry
local$ 

This happens whether or not I use privilege separation.  To summarize (I 
hope this chart translates):

On the OpenSSH server...
password exists
password is locked (*LK*)
last change date field is 0 or otherwise expired
public key authentication is defeated by inability to log in to change the 
password
public key authentication is defeated by inability to log in to change the 
password
last change date field is current or empty
public key authentication works with no password challenge
public key authentication works with no password challenge

The last change date field is the first field after the encrypted password 
in the shadow file.  I won't go into all the ways this field can get 
screwed up, but there are plenty of normal procedures that will result in 
locking me out.  Whether the password expired naturally or was forced so 
by root, the end behavior is the same. 

The other observation I have is with an expired or forced expired 
password, I get the following in the authlog:

Aug 21 16:16:26 jdc30 sshd[14659]: User larry password has expired (root 
forced)         <-- OR (password aged)
Aug 21 16:16:26 jdc30 last message repeated 1 time
Aug 21 16:16:26 jdc30 sshd[14659]: input_userauth_request: illegal user 
larry
Aug 21 16:16:26 jdc30 last message repeated 1 time
Aug 21 16:16:26 jdc30 sshd[14659]: Failed none for illegal user larry from 
156.132.21.168 port 34182 ssh2
Aug 21 16:16:26 jdc30 last message repeated 1 time
Aug 21 16:16:27 jdc30 sshd[14659]: Failed publickey for illegal user larry 
from 156.132.21.168 port 34182 ssh2
Aug 21 16:16:27 jdc30 last message repeated 4 times
Aug 21 16:16:27 jdc30 sshd[14659]: Failed keyboard-interactive for illegal 
user larry from 156.132.21.168 port 34182 ssh2
Aug 21 16:16:27 jdc30 last message repeated 3 times
Aug 21 16:16:27 jdc30 sshd[14659]: Failed keyboard-interactive for illegal 
user larry from 156.132.21.168 port 34182 ssh2

It declares me to be an "illegal user".  And sshd -d -d -d output shows 
"input_userauth_request: illegal user larry"

Does this help anybody isolate where the code is failing?  Is sshd 
misinterpreting the expired state of my password?  But why is my password 
being consulted at all when I have sufficient public key authentication to 
get in?  Why did publickey fail?  Because I was branded an "illegal user"? 
 





Scott Burch <scott.burch at camberwind.com>
Sent by: openssh-unix-dev-admin at mindrot.org
08/28/02 03:21 PM

 
        To:     Amulya Parthasarathy <amulyap at getsmart.com>
        cc:     openssh-unix-dev at mindrot.org
        Subject:        Re: password aging problem with ssh protocol 2


Amulya,

This will only work on Solaris 8 with the version of OpenSSH you are 
running. Password aging will only work on Solaris 2.6 with current 
snapshots if you are not using privilege separation. If you are using 
privilege separation on the current release or snapshots I don't believe 
password aging works with any version of Solaris. Someone can correct me 
if I'm wrong. The main problem is that PAM on Linux and other open 
source operating systems has diverged substantially from PAM on Solaris 
(where it originated)...most PAM operations on Solaris need to run as 
root ...there was some discussion about this some time ago. I don't know 
if anyone is currently working on code to resolve these issues.

-Scott

Amulya Parthasarathy wrote:

>Hi,
>I'm using openssh3.1p1 and I'm having some problem with password aging
>with ssh protocol 2. Every time a password expires and I try to login I
>get the following message 
>
>ssh username at hostname
>username at hostname's password: 
>Warning: Your password has expired, please change it now
>Enter login password: 
>removing root credentials would break the rpc services that
>use secure rpc on this host!
>root may use keylogout -f to do this (at your own risk)!
>Connection to hostname closed by remote host.
>Connection to hostname closed.
>
>But when ssh into the same server using ssh -1 username at hostname it
>works just fine.
>ssh -1 username at hostname
>username at hostname's password: 
>Warning: Your password has expired, please change it now
>Enter login password: 
>New password: 
>Re-enter new password: 
>sshd (SYSTEM): passwd successfully changed for username
>Last login: Wed Aug 28 11:27:17 2002 from 10.11.42.65
>
>Can anybody help me how to get this working for protocol 2.
>
>Thanks
>R/Amulya
>
>_______________________________________________
>openssh-unix-dev at mindrot.org mailing list
>http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>
> 
>



_______________________________________________
openssh-unix-dev at mindrot.org mailing list
http://www.mindrot.org/mailman/listinfo/openssh-unix-dev

More information about the openssh-unix-dev mailing list