Possible issue with PAM/OpenSSH?

Williams, Marty Marty.Williams at ps.net
Fri May 3 01:51:16 EST 2002 

I recently compiled OpenSSH and its supporting products (see version list
below) for my Solaris 8 system.  With the exception of options changing the
install locations of the products and the fact that the versions of the
software I used were current, I followed same procedure used to compile and
install the products outlined in the Sun white paper "Building and Deploying
OpenSSH for the Solaris Operating Enviornment"
(http://www.sun.com/solutions/blueprints/0701/openSSH.pdf) using gcc.  

Version List
------------
OpenSSH 3.1p1
Libgcc 3.0.3
OpenSSL 0.9.6c
Prngd 0.9.24
Xinetd 2.3.3
Zlib 1.1.4

After the compilation and installation, when attempting to use ssh to login
to a system as a user with an expired password (but only if password aging
is turned off for that user - either zeroes or blanks in the min and max
fields in /etc/shadow), the ssh server system prompts me to change the
password and then asks for the current password.  Upon entering the current
password, on an intermittant basis I get a message saying:

"removing root credentials would break the rpc services that use secure rpc
on this host!  root may use keylogout -f to do this (at your own risk)!"
 
and then the connection is closed.

This message is apparently coming from the pam_unix.so.1 library.
 
At other times, after entering the current password, I am prompted for the
new password, as one would expect and I can successfully change the
password.

The messages file indicates an unknown error (-1) with the function
pam_chauthtok.

Also, if password aging is turned on for the user, I have not seen this
problem.

I checked this issue out on another system (a Netra with a pre-loaded OS)
where OpenSSH and the supporting products had  been installed from the
Solaris packages available from SunFreeware.com.  This system never showed
the problem even if the shadow file contained zeroes or blanks for the min
and max values for the user with an expired password.)

Do you have any thoughts on why I am seeing this error message?

Marty Williams

More information about the openssh-unix-dev mailing list