[Bug 1904] sshd refuses certificate-based authentication if password has expired

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Sat Jun 25 06:23:07 EST 2011 

https://bugzilla.mindrot.org/show_bug.cgi?id=1904

--- Comment #2 from mathew <meta at pobox.com> 2011-06-25 06:23:07 EST ---
Just checked using Debian 6.0 and default setup, which does have PAM
enabled. Created a new blank account, checked that certificate-based
authentication worked, and then expired the password and tried to run
an rsync session:

$ rsync -av -e 'ssh -l sshtest' haddock.txt castor.local:.
WARNING: Your password has expired.                                     
Password change required but no TTY available.                          
rsync: connection unexpectedly closed (0 bytes received so far)
[sender]       
rsync error: error in rsync protocol data stream (code 12) at io.c(601)
[sender=3.0.7]  

>From the logs, it looks as if pam_unix is always activated by sshd,
even if Unix password authentication is not being used:

<38>1 2011-06-24T15:09:23.691311-05:00 castor sshd 25622 - -  Accepted
publickey for sshtest from 10.0.1.200 port 45366 ssh2                   
<86>1 2011-06-24T15:09:23.692556-05:00 castor sshd 25622 - - 
pam_unix(sshd:session): session opened for user sshtest by (uid=0)

pam.d/sshd loads directives from common-password common-account
common-session and common-auth, so I grepped for pam_unix:

common-password:password        [success=1 default=ignore]     
pam_unix.so obscure use_authtok try_first_pass sha512
common-account:account  [success=1 new_authtok_reqd=done
default=ignore]      pam_unix.so
common-session:session  required pam_unix.so
common-auth:auth        [success=1 default=ignore]      pam_unix.so
nullok_secure

I tried changing common-session to say 'sufficient pam_unix.so' instead
of required, restarted sshd, but it didn't seem to make any difference.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

More information about the openssh-bugs mailing list