OpenSSH + PADL + password aging

Roylance, Stephen D. SROYLANCE at PARTNERS.ORG
Tue Dec 23 10:15:19 EST 2003

First, my config:
Solaris 8
PADL pam_ldap v165 and pam_nss v211
OpenSSH 3.7.1.p2
All compiled with gcc 2.95.3 that ships with the Sun companion CD

LDAP PAM authentication is working well with OpenSSH, privsep is disabled,
challenge-response authentication is enabled.  I would like to turn on
password aging, which seems to be well supported by pam_ldap.  Logins going
through /bin/login correctly display warnings and run through the password
change when required.

Pasword aging is not completely broken through OpenSSH, but not perfect
either.  Warnings are not displayed at all.  Here is a transcript of an
expired password session through login:
>SunOS 5.8
>login: sdr
>You are required to change your LDAP password immediately.
>Choose a new password.
>Enter login(LDAP) password:
>LDAP Password incorrect: try again
>Enter login(LDAP) password:
>New password:
>Re-enter new password:
>LDAP password information changed for sdr
>No directory! Logging in with home=/
>Last login: Mon Dec 22 17:02:57 from someplace.somewhere

and OpenSSH (Putty client) looks like this:
>login as: sdr
>Enter login(LDAP) password:
>New password:
>Re-enter new password:
>LDAP password information changed for sdrLast login: Mon Dec 22 17:03:50
2003 from someplace.somewhere
>Could not chdir to home directory /export/home/sdr: No such file or

So the password change is being forced, but some of the prompts from
pam_ldap are being lost.  I'm not sure where to go from here, so any help or
guidance is appreciated.  Please keep me on the CC list as I am not
subscribed to the list.

Thank You,
Steve Roylance

More information about the openssh-unix-dev mailing list