5.1p on RHEL 3 and password expiration

Stephen Harris lists at spuddy.org
Sat Oct 18 06:21:41 EST 2008

On Fri, Oct 17, 2008 at 11:35:35AM +1100, Darren Tucker wrote:
> You could disable PasswordAuthentication and require Protocol 2 with 
> keyboard-interactive authentication, which will probably work since it 
> does both authentication and password change through the same 
> conversation function).

That seemed to work just fine;
  < PasswordAuthentication yes
  > PasswordAuthentication no
  < ChallengeResponseAuthentication no
  > ChallengeResponseAuthentication yes

And now...
  $ ssh fred at localhost
  You are required to change your password immediately (password aged)
  Changing password for fred
  (current) UNIX password:
  New UNIX password:
  Retype new UNIX password:
  Last login: Fri Oct 17 15:15:18 2008 from localhost.localdomain

> It would be possible to hack around in sshd, however I don't think it's 
> worth the effort since it's demonstrably a (since fixed) LinuxPAM bug.

And the ChallengeResponseAuthentication acts as a sufficient workaround
for the older systems.

Thank you very much!



More information about the openssh-unix-dev mailing list