password aging

Dan Yefimov dan at
Fri Nov 14 05:24:36 EST 2003

On Thu, 13 Nov 2003, Douglas K. Fischer wrote:

> Hash: SHA1
> 3.7.1p2 with PrivSep and PAM. Users no longer receive notice in the 7 days 
> prior to password expiration, and once their password expires, they are 
> unable to login. As soon as they enter their password the SSH connection is 
> terminated with the following in /var/log/secure:
> Oct 28 14:50:47 dumbledore sshd[1677]: fatal: Password expired (unable to 
> change with privsep)
> I haven't bothered to investigate this further yet, not high enough in my 
> priority queue.
Unfortunately changing expired password doesn't work with privilege separation 
enabled. Despite for 'UsePAM no' setting PAM is still used because of 
challenge-response authentication enabled. Even more, without PAM support 
compiled in sshd doesn't support password aging mechanism. So the only way to 
make password aging work (of course, if you still want it) is disabling 
privilege separation. If you choose to not use password aging in sshd you should 
disable challenge-response authentication.

    Sincerely Your, Dan.

More information about the openssh-unix-dev mailing list