password aging problem with ssh protocol 2

Kevin Steves kevin at atomicgears.com
Fri Aug 30 06:56:48 EST 2002 

On Wed, Aug 28, 2002 at 11:36:09AM -0700, Amulya Parthasarathy wrote:
> I'm using openssh3.1p1 and I'm having some problem with password aging
> with ssh protocol 2. Every time a password expires and I try to login I
> get the following message 
> 
> ssh username at hostname
> username at hostname's password: 
> Warning: Your password has expired, please change it now
> Enter login password: 
> removing root credentials would break the rpc services that
> use secure rpc on this host!
> root may use keylogout -f to do this (at your own risk)!
> Connection to hostname closed by remote host.
> Connection to hostname closed.
> 
> But when ssh into the same server using ssh -1 username at hostname it
> works just fine.
> ssh -1 username at hostname
> username at hostname's password: 
> Warning: Your password has expired, please change it now
> Enter login password: 
> New password: 
> Re-enter new password: 
> sshd (SYSTEM): passwd successfully changed for username
> Last login: Wed Aug 28 11:27:17 2002 from 10.11.42.65
> 
> Can anybody help me how to get this working for protocol 2.

Password change was disabled post 3.1 due to issues raised in bug 188.
I have incorporated changes made by Solar Designer into CVS but have
left password change disabled, until I had time to verify the changes
more thoroughly.  I believe they may address 188 issues (Nico, can you
look at this?).  Please test with current using the patch below.

That said I have seen the issue above on Solaris 8, and I don't know
what the cause is.  I also can't explain why it works with protocol 1.
As I recall, HP-UX 11 does work.

Index: auth-pam.c
===================================================================
RCS file: /var/cvs/openssh/auth-pam.c,v
retrieving revision 1.54
diff -u -r1.54 auth-pam.c
--- auth-pam.c	28 Jul 2002 20:24:08 -0000	1.54
+++ auth-pam.c	29 Aug 2002 20:45:38 -0000
@@ -256,7 +256,7 @@
 		case PAM_SUCCESS:
 			/* This is what we want */
 			break;
-#if 0
+#if 1
 		case PAM_NEW_AUTHTOK_REQD:
 			message_cat(&__pam_msg, use_privsep ?
 			    NEW_AUTHTOK_MSG_PRIVSEP : NEW_AUTHTOK_MSG);

More information about the openssh-unix-dev mailing list