User unable to log into Solaris when password has been expired byroot
Darren Tucker
dtucker at zip.com.au
Thu Oct 2 22:22:18 EST 2003
"Manton, Doug" wrote:
>
> I have a question.
>
> Our process for creating a new user account on our Solaris systems is to
> force expire (passwd -f) the user's password so they have to chose their own
> when they log in. However, since building OpenSSH 3.7.1p2 I find that new
> users are unable to log in with the following syslog messages:
>
> Oct 2 12:37:42 hostname sshd[1754]: User tester password has expired
> (root forced)
> Oct 2 12:37:42 hostname sshd[1754]: Failed none for illegal user tester
> from 10.10.67.135 port 33595 ssh2
> Oct 2 12:37:45 hostname sshd[1754]: Failed password for illegal user
> tester from 10.10.67.135 port 33595 ssh2
>
> What is the rationale behind this behaviour? It's not like I have locked
> the account -- how can I ensure my new users get access? Can I simply
> modify the test in auth.c or is there a 'proper' way to achieve the desired
> behaviour?
Strictly speaking, it's because sshd supports password expiry (ie it knows
that the password is expired), but doesn't (yet) support forcing changes
of expired passwords. Supporting that has been a work-in-progress for,
oh, about a year now :-)
It should be fixed soon. Really. I mean it this time. Until then, you
can apply the password expiry patch here:
http://www.zip.com.au/~dtucker/openssh/
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list