password aging
Dan Yefimov
dan at D00M.integrate.com.ru
Fri Nov 14 05:24:36 EST 2003
On Thu, 13 Nov 2003, Douglas K. Fischer wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> 3.7.1p2 with PrivSep and PAM. Users no longer receive notice in the 7 days
> prior to password expiration, and once their password expires, they are
> unable to login. As soon as they enter their password the SSH connection is
> terminated with the following in /var/log/secure:
>
> Oct 28 14:50:47 dumbledore sshd[1677]: fatal: Password expired (unable to
> change with privsep)
>
> I haven't bothered to investigate this further yet, not high enough in my
> priority queue.
>
Unfortunately changing expired password doesn't work with privilege separation
enabled. Despite for 'UsePAM no' setting PAM is still used because of
challenge-response authentication enabled. Even more, without PAM support
compiled in sshd doesn't support password aging mechanism. So the only way to
make password aging work (of course, if you still want it) is disabling
privilege separation. If you choose to not use password aging in sshd you should
disable challenge-response authentication.
--
Sincerely Your, Dan.
More information about the openssh-unix-dev
mailing list