--with-pam and expired passwords

Darren Tucker dtucker at zip.com.au
Sat Jan 10 11:19:34 EST 2004

Mordechai T. Abzug wrote:
> First off, thanks for the --with-pam fix that lets users with expired
> passwords change their passwords.  It's wonderful, and has finally
> allowed us to migrate to openssh after a couple of years.
> Problem: after openssh allows a user with an expired password to log
> in, said user does not have any X11 and agent forwardings that have
> been set up.  This can be a support issue for naive users who don't
> understand why they can't run X programs.

What version are you using?  The keyboard-interactive code in OpenSSH 
-current should work (I just tested it and it seems to work).  The 
non-keyboard-interactive methods (ie chauthtok-in-session and 
passwd-in-session methods) can't easily reset the forwarding flags 
because they're in a different process.

$ ssh -p 2022 localhost -o PreferredAuthentications=keyboard-interactive 
-X -l testuser
You are required to change your password immediately (password aged)
Changing password for testuser
(current) UNIX password:
New password:
Retype new password:
Running /usr/X11R6/bin/xauth remove unix:16.0
/usr/X11R6/bin/xauth add unix:16.0 MIT-MAGIC-COOKIE-1 
debug1: Received SIGCHLD.
[testuser at gate testuser]$ echo $DISPLAY

Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
     Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list