5.1p on RHEL 3 and password expiration

Stephen Harris lists at spuddy.org
Fri Oct 17 06:43:30 EST 2008 

[ Sorry for the length of this; I felt it better to provide potentially
  too much info, rather than not enough.  I've probably missed something
  that's important, though! ]

I have an odd problem with 5.1p on RHEL3 if "UsePAM yes" and
"UsePrivilegeSeparation no" is set.  The code detects that the user
password is aged (according to shadow) but then fails to let me change
the password:

  % ssh -p 2222 fred at localhost
  fred at localhost's password: 
  You are required to change your password immediately (password aged)
  Last login: Thu Oct 16 14:28:14 2008 from localhost.localdomain
  Connection to localhost closed.

If I run the server in -ddd mode,
  % ssh fred at localhost -p 2222
  fred at localhost's password: 
  You are required to change your password immediately (password aged)
  Last login: Thu Oct 16 14:56:04 2008 from localhost.localdomain
  debug1: PAM: changing password
  PAM: pam_chauthtok(): Authentication token manipulation error
  debug1: do_cleanup
  Connection to localhost closed.

On the server side, I see

  Failed publickey for fred from 127.0.0.1 port 32786 ssh2
  debug1: userauth-request for user fred service ssh-connection method password
  debug1: attempt 3 failures 2
  debug2: input_userauth_request: try method password
  debug3: PAM: sshpam_passwd_conv called with 1 messages
  debug1: PAM: password authentication accepted for fred
  debug1: do_pam_account: called
  debug3: PAM: sshpam_passwd_conv called with 1 messages
  debug3: PAM: do_pam_account pam_acct_mgmt = 12 (Authentication token is no longer valid; new one required.)
  debug3: sshpam_password_change_required 1
  Accepted password for fred from 127.0.0.1 port 32786 ssh2
  debug1: PAM: establishing credentials
  debug3: PAM: opening session
  debug1: Entering interactive session for SSH2.
  debug2: fd 4 setting O_NONBLOCK
  debug2: fd 5 setting O_NONBLOCK
  debug1: server_init_dispatch_20
  debug1: server_input_channel_open: ctype session rchan 0 win 1048576 max 16384
  debug1: input_session_request
  debug1: channel 0: new [server-session]
  debug2: session_new: allocate (allocated 0 max 10)
  debug3: session_unused: session id 0 unused
  debug1: session_new: session 0
  debug1: session_open: channel 0
  debug1: session_open: session 0: link with channel 0
  debug1: server_input_channel_open: confirm session
  debug1: server_input_global_request: rtype no-more-sessions at openssh.com want_reply 0
  debug1: server_input_channel_req: channel 0 request pty-req reply 1
  debug1: session_by_channel: session 0 channel 0
  debug1: session_input_channel_req: session 0 req pty-req
  debug1: Allocating pty.
  debug1: session_pty_req: session 0 alloc /dev/pts/2
  debug3: tty_parse_modes: SSH2 n_bytes 256
  debug3: tty_parse_modes: ospeed 38400
  debug3: tty_parse_modes: ispeed 38400
  debug1: server_input_channel_req: channel 0 request shell reply 1
  debug1: session_by_channel: session 0 channel 0
  debug1: session_input_channel_req: session 0 req shell
  debug1: Setting controlling tty using TIOCSCTTY.
  debug2: fd 3 setting TCP_NODELAY
  debug2: channel 0: rfd 8 isatty
  debug2: fd 8 setting O_NONBLOCK
  debug3: fd 6 is O_NONBLOCK
  debug1: Received SIGCHLD.
  debug1: session_by_pid: pid 6942
  debug1: session_exit_message: session 0 channel 0 pid 6942
  debug2: channel 0: request exit-status confirm 0
  debug1: session_exit_message: release channel 0

  [channel closing debug messages]

  debug1: channel 0: free: server-session, nchannels 1
  debug3: channel 0: status: The following connections are open:
    #0 server-session (t4 r0 i3/0 o3/0 fd -1/-1 cfd -1)

  debug3: channel 0: close_fds r -1 w -1 e -1 c -1
  Connection closed by 127.0.0.1
  debug1: do_cleanup
  debug1: PAM: cleanup
  debug1: PAM: deleting credentials
  debug1: PAM: closing session
  debug3: PAM: sshpam_thread_cleanup entering
  Transferred: sent 2240, received 2512 bytes
  Closing connection to 127.0.0.1 port 32786

If I do "UsePAM no" _or_ "UsePrivilegeSeparation yes" then the password
change process works...
  WARNING: Your password has expired.
  You must change your password now and login again!
  Changing password for user fred.
  Changing password for fred
  (current) UNIX password: 
  New UNIX password: 
  Retype new UNIX password: 
  passwd: all authentication tokens updated successfully.
  Connection to localhost closed.

(that logout and login again process is annoying)

The error message received looks very similar to a problem Darren had
with LinuxPAM back in 2004 about setting the conversation, but I can't
find if this was ever resolved
  http://osdir.com/ml/pam/2004-06/msg00028.html

Of course the RedHat provided OpenSSH3.6 package (with their gazillion
patches) works just fine; allows the password to be changed and doesn't
force a logout/login again.

Any ideas?  I'm trying to standardise on a single version of OpenSSH over
all my platforms (Solaris 8,9,10, RHEL 2.1,3,4) and people are looking
at me pretty funny when my replacement package can't perform as well as
the OS provided one!  (Of course it works fine on RHEL2.1, RHEL4 and
Solaris, but we have a large RHEL3 footprint)

sshd_config contents...

  #Port 22
  #Protocol 2,1
  #AddressFamily any
  #ListenAddress 0.0.0.0
  #ListenAddress ::
  #HostKey /etc/myssh/ssh/ssh_host_key
  #HostKey /etc/myssh/ssh/ssh_host_rsa_key
  #HostKey /etc/myssh/ssh/ssh_host_dsa_key
  # Lifetime and size of ephemeral version 1 server key
  #KeyRegenerationInterval 1h
  #ServerKeyBits 768
  # Logging
  #obsoletes QuietMode and FascistLogging
  #SyslogFacility AUTH
  #LogLevel INFO
  # Authentication:
  LoginGraceTime 1m
  PermitRootLogin yes
  #StrictModes yes
  #MaxAuthTries 6
  RSAAuthentication yes
  PubkeyAuthentication yes
  AuthorizedKeysFile      /etc/myssh/ssh/auth_keys/%u
  #RhostsRSAAuthentication no
  #HostbasedAuthentication no
  #IgnoreUserKnownHosts no
  #IgnoreRhosts yes
  PasswordAuthentication yes
  PermitEmptyPasswords no
  ChallengeResponseAuthentication no
  #KerberosAuthentication no
  #KerberosOrLocalPasswd yes
  #KerberosTicketCleanup yes
  #KerberosGetAFSToken no
  #GSSAPIAuthentication no
  #GSSAPICleanupCredentials yes
  UsePAM yes
  #AllowTcpForwarding yes
  #GatewayPorts no
  X11Forwarding yes
  #X11DisplayOffset 10
  #X11UseLocalhost yes
  #PrintMotd yes
  #PrintLastLog yes
  #TCPKeepAlive yes
  #UseLogin no
  UsePrivilegeSeparation no
  #PermitUserEnvironment no
  Compression yes
  #ClientAliveInterval 0
  #ClientAliveCountMax 3
  #UseDNS yes
  #PidFile /var/run/sshd.pid
  #MaxStartups 10
  # no default banner path
  # Banner /etc/issue
  # override default of no subsystems
  Subsystem       sftp    /opt/myssh/libexec/sftp-server

Server:
  RedHat Enterprise Linux 3
  Linux 2.4.21-47.0.1.EL
  pam-0.75-72
  OpenSSH_5.1p1, OpenSSL 0.9.7k 05 Sep 2006

Thanks for your time!

-- 

rgds
Stephen

More information about the openssh-unix-dev mailing list