password aging question

BRADLEY PENDERGAST BPENDERGAST at corvis.com.au
Mon May 17 15:53:12 EST 2004 

Vesion 3.8.1 of OpenSSH has been compiled on a Solaris 8 host. I am having
difficulties in enabling password aging to work from reading
/etc/default/passwd and /etc/shadow.

# passwd -f < user-id > works satisfactorily however once a password ages
through due course from the settings in /etc/default/passwd and /etc/shadow
the users are not prompted to change passwords and the user is logged out
immediatetly.

I have searched this site and the WWW looking for a solution, and have
followed some suggestions to setup privledged separation, but still no luck.


Does password aging work with OpenSSH?
Below are my compile options and configuration file.

Many thanks
Brad

# ./configure --prefix=/opt/ssh \
> --without-pam --disable-suid-ssh --without-rsh \
> --with-lastlog=/var/adm/lastlog \
> --with-pgp --with-nologin-allow=/etc/nolgin.allow \
> --without-none --with-privsep-user=sshd \
> --with-privsep-path=/var/empty \
> --without-prng --without-rand-helper

# cat sshd_config
# $OpenBSD: sshd_config,v 1.68 2003/12/29 16:39:50 millert Exp $

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with
PATH=/usr/bin:/bin:/usr/sbin:/sbin:/opt/ssh/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

#Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /opt/ssh/etc/ssh_host_key
# HostKeys for protocol version 2
#HostKey /opt/ssh/etc/ssh_host_rsa_key
#HostKey /opt/ssh/etc/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys

# For this to work you will also need host keys in
/opt/ssh/etc/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication (via challenge-response)
# and session processing. Depending on your PAM configuration, this may
# bypass the setting of 'PasswordAuthentication' and 'PermitEmptyPasswords'
#UsePAM no

#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10

# no default banner path
Banner /etc/issue

# override default of no subsystems
Subsystem sftp /opt/ssh/libexec/sftp-server


Brad Pendergast
Systems Administration
Business Technology Services
Credit Union Services Corporation (Australia) Limited

Telephone (02) 8299 9358
Facsimile    (02) 8299 9638
E-mail:         bpendergast at cuscal.com.au


________________________________________________________
NOTICE
The information in this email and or any of the attachments may contain;
a. Confidential information of Credit Union Services Corporation (Australia) Limited (CUSCAL) or third parties; and or
b. Legally privileged information of CUSCAL or third parties; and or
c. Copyright material of CUSCAL or third parties.
If you are not an authorised recipient of this email, please contact CUSCAL immediately by return email or by telephone on 61-2-8299 9000 and delete the email from your system.
We do not accept any liability in connection with computer virus, data corruption, interruption or any damage generally as a result of transmission of this email.

More information about the openssh-unix-dev mailing list