[Bug 511] PublickKeyAuthentication failures when account password expires
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Tue Mar 18 20:49:43 EST 2003
http://bugzilla.mindrot.org/show_bug.cgi?id=511
------- Additional Comments From dtucker at zip.com.au 2003-03-18 20:49 -------
Currently sshd checks for password/account expiry very early in the login
process (before the authentication methods are negotiated, in
auth.c:allowed_user()) so it's probably not a trivial change to omit this check
for public-key authentication only.
I don't think it's a good idea to do this even if it was easy. (Note that I
didn't think the AIX rlogin thing was a good idea at first either :-)
AIX currently does this (doesn't expire passwords via SSH password or
public-key) and I'm trying to get that *fixed*. It's OK until you need to get
in some way other than ssh (eg sshd is broken or you're at the console) then
you're screwed.
Also note that on Solaris cron jobs will fail for accounts with expired
passwords (on Solaris 8 you get "! bad user (testuser)..." on cron's log).
If you don't want password expiry, don't enable it for those accounts. If
you must have it enabled, set the password to something random (eg "openssl rand
6 | mimencode | autopasswd batchaccount") once per month via cron :-).
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the openssh-unix-dev
mailing list