[Bug 511] PublickKeyAuthentication failures when account password expires

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Mar 18 20:49:43 EST 2003


------- Additional Comments From dtucker at zip.com.au  2003-03-18 20:49 -------
Currently sshd checks for password/account expiry very early in the login 
process (before the authentication methods are negotiated, in 
auth.c:allowed_user()) so it's probably not a trivial change to omit this check 
for public-key authentication only.

I don't think it's a good idea to do this even if it was easy.  (Note that I 
didn't think the AIX rlogin thing was a good idea at first either :-)

AIX currently does this (doesn't expire passwords via SSH password or 
public-key) and I'm trying to get that *fixed*.  It's OK until you need to get 
in some way other than ssh (eg sshd is broken or you're at the console) then 
you're screwed.

Also note that on Solaris cron jobs will fail for accounts with expired 
passwords (on Solaris 8 you get "! bad user (testuser)..." on cron's log).

If you don't want password expiry, don't enable it for those accounts.  If 
you must have it enabled, set the password to something random (eg "openssl rand 
6 | mimencode | autopasswd batchaccount") once per month via cron :-).

------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the openssh-unix-dev mailing list