5.1p on RHEL 3 and password expiration

Dan Yefimov dan at nf15.lightwave.net.ru
Fri Oct 17 07:29:59 EST 2008


On 16.10.2008 23:43, Stephen Harris wrote:
> [ Sorry for the length of this; I felt it better to provide potentially
>    too much info, rather than not enough.  I've probably missed something
>    that's important, though! ]
>
> I have an odd problem with 5.1p on RHEL3 if "UsePAM yes" and
> "UsePrivilegeSeparation no" is set.  The code detects that the user
> password is aged (according to shadow) but then fails to let me change
> the password:
>
>    % ssh -p 2222 fred at localhost
>    fred at localhost's password:
>    You are required to change your password immediately (password aged)
>    Last login: Thu Oct 16 14:28:14 2008 from localhost.localdomain
>    Connection to localhost closed.
>
> If I run the server in -ddd mode,
>    % ssh fred at localhost -p 2222
>    fred at localhost's password:
>    You are required to change your password immediately (password aged)
>    Last login: Thu Oct 16 14:56:04 2008 from localhost.localdomain
>    debug1: PAM: changing password
>    PAM: pam_chauthtok(): Authentication token manipulation error
>    debug1: do_cleanup
>    Connection to localhost closed.
>
> On the server side, I see
>
>    Failed publickey for fred from 127.0.0.1 port 32786 ssh2
>    debug1: userauth-request for user fred service ssh-connection method password
>    debug1: attempt 3 failures 2
>    debug2: input_userauth_request: try method password
>    debug3: PAM: sshpam_passwd_conv called with 1 messages
>    debug1: PAM: password authentication accepted for fred
>    debug1: do_pam_account: called
>    debug3: PAM: sshpam_passwd_conv called with 1 messages
>    debug3: PAM: do_pam_account pam_acct_mgmt = 12 (Authentication token is no longer valid; new one required.)
>    debug3: sshpam_password_change_required 1
>    Accepted password for fred from 127.0.0.1 port 32786 ssh2
>    debug1: PAM: establishing credentials
>    debug3: PAM: opening session
>    debug1: Entering interactive session for SSH2.
>    debug2: fd 4 setting O_NONBLOCK
>    debug2: fd 5 setting O_NONBLOCK
>    debug1: server_init_dispatch_20
>    debug1: server_input_channel_open: ctype session rchan 0 win 1048576 max 16384
>    debug1: input_session_request
>    debug1: channel 0: new [server-session]
>    debug2: session_new: allocate (allocated 0 max 10)
>    debug3: session_unused: session id 0 unused
>    debug1: session_new: session 0
>    debug1: session_open: channel 0
>    debug1: session_open: session 0: link with channel 0
>    debug1: server_input_channel_open: confirm session
>    debug1: server_input_global_request: rtype no-more-sessions at openssh.com want_reply 0
>    debug1: server_input_channel_req: channel 0 request pty-req reply 1
>    debug1: session_by_channel: session 0 channel 0
>    debug1: session_input_channel_req: session 0 req pty-req
>    debug1: Allocating pty.
>    debug1: session_pty_req: session 0 alloc /dev/pts/2
>    debug3: tty_parse_modes: SSH2 n_bytes 256
>    debug3: tty_parse_modes: ospeed 38400
>    debug3: tty_parse_modes: ispeed 38400
>    debug1: server_input_channel_req: channel 0 request shell reply 1
>    debug1: session_by_channel: session 0 channel 0
>    debug1: session_input_channel_req: session 0 req shell
>    debug1: Setting controlling tty using TIOCSCTTY.
>    debug2: fd 3 setting TCP_NODELAY
>    debug2: channel 0: rfd 8 isatty
>    debug2: fd 8 setting O_NONBLOCK
>    debug3: fd 6 is O_NONBLOCK
>    debug1: Received SIGCHLD.
>    debug1: session_by_pid: pid 6942
>    debug1: session_exit_message: session 0 channel 0 pid 6942
>    debug2: channel 0: request exit-status confirm 0
>    debug1: session_exit_message: release channel 0
>
>    [channel closing debug messages]
>
>    debug1: channel 0: free: server-session, nchannels 1
>    debug3: channel 0: status: The following connections are open:
>      #0 server-session (t4 r0 i3/0 o3/0 fd -1/-1 cfd -1)
>
>    debug3: channel 0: close_fds r -1 w -1 e -1 c -1
>    Connection closed by 127.0.0.1
>    debug1: do_cleanup
>    debug1: PAM: cleanup
>    debug1: PAM: deleting credentials
>    debug1: PAM: closing session
>    debug3: PAM: sshpam_thread_cleanup entering
>    Transferred: sent 2240, received 2512 bytes
>    Closing connection to 127.0.0.1 port 32786
>
> If I do "UsePAM no" _or_ "UsePrivilegeSeparation yes" then the password
> change process works...
>    WARNING: Your password has expired.
>    You must change your password now and login again!
>    Changing password for user fred.
>    Changing password for fred
>    (current) UNIX password:
>    New UNIX password:
>    Retype new UNIX password:
>    passwd: all authentication tokens updated successfully.
>    Connection to localhost closed.
>
> (that logout and login again process is annoying)
>
> The error message received looks very similar to a problem Darren had
> with LinuxPAM back in 2004 about setting the conversation, but I can't
> find if this was ever resolved
>    http://osdir.com/ml/pam/2004-06/msg00028.html
>
> Of course the RedHat provided OpenSSH3.6 package (with their gazillion
> patches) works just fine; allows the password to be changed and doesn't
> force a logout/login again.
>
> Any ideas?  I'm trying to standardise on a single version of OpenSSH over
> all my platforms (Solaris 8,9,10, RHEL 2.1,3,4) and people are looking
> at me pretty funny when my replacement package can't perform as well as
> the OS provided one!  (Of course it works fine on RHEL2.1, RHEL4 and
> Solaris, but we have a large RHEL3 footprint)
>
> sshd_config contents...
>
>    #Port 22
>    #Protocol 2,1
>    #AddressFamily any
>    #ListenAddress 0.0.0.0
>    #ListenAddress ::
>    #HostKey /etc/myssh/ssh/ssh_host_key
>    #HostKey /etc/myssh/ssh/ssh_host_rsa_key
>    #HostKey /etc/myssh/ssh/ssh_host_dsa_key
>    # Lifetime and size of ephemeral version 1 server key
>    #KeyRegenerationInterval 1h
>    #ServerKeyBits 768
>    # Logging
>    #obsoletes QuietMode and FascistLogging
>    #SyslogFacility AUTH
>    #LogLevel INFO
>    # Authentication:
>    LoginGraceTime 1m
>    PermitRootLogin yes
>    #StrictModes yes
>    #MaxAuthTries 6
>    RSAAuthentication yes
>    PubkeyAuthentication yes
>    AuthorizedKeysFile      /etc/myssh/ssh/auth_keys/%u
>    #RhostsRSAAuthentication no
>    #HostbasedAuthentication no
>    #IgnoreUserKnownHosts no
>    #IgnoreRhosts yes
>    PasswordAuthentication yes
>    PermitEmptyPasswords no
>    ChallengeResponseAuthentication no
>    #KerberosAuthentication no
>    #KerberosOrLocalPasswd yes
>    #KerberosTicketCleanup yes
>    #KerberosGetAFSToken no
>    #GSSAPIAuthentication no
>    #GSSAPICleanupCredentials yes
>    UsePAM yes
>    #AllowTcpForwarding yes
>    #GatewayPorts no
>    X11Forwarding yes
>    #X11DisplayOffset 10
>    #X11UseLocalhost yes
>    #PrintMotd yes
>    #PrintLastLog yes
>    #TCPKeepAlive yes
>    #UseLogin no
>    UsePrivilegeSeparation no
>    #PermitUserEnvironment no
>    Compression yes
>    #ClientAliveInterval 0
>    #ClientAliveCountMax 3
>    #UseDNS yes
>    #PidFile /var/run/sshd.pid
>    #MaxStartups 10
>    # no default banner path
>    # Banner /etc/issue
>    # override default of no subsystems
>    Subsystem       sftp    /opt/myssh/libexec/sftp-server
>
> Server:
>    RedHat Enterprise Linux 3
>    Linux 2.4.21-47.0.1.EL
>    pam-0.75-72
>    OpenSSH_5.1p1, OpenSSL 0.9.7k 05 Sep 2006
>
The only thing I can suggest to you is upgrading PAM too. The latest stable PAM 
version is 1.0.2. Best of all get the latest PAM source package from Fedora Core 
development branch, replace the main tarball with 1.0.2 one, modify patches to 
fit that version, and build. That approach is time consuming, but reliable.
-- 

Sincerely Your, Dan.


More information about the openssh-unix-dev mailing list