bugzilla-daemon at mindrot.org
2005-Dec-06 11:31 UTC
[Bug 1065] password expiration and SSH keys don't go well together
http://bugzilla.mindrot.org/show_bug.cgi?id=1065 ------- Comment #11 from joss at debian.org 2005-12-06 22:31 ------- Created an attachment (id=1036) --> (http://bugzilla.mindrot.org/attachment.cgi?id=1036&action=view) Debugging output of the issue Finally, here is the output of sshd -ddd. First, in normal operation. Second, when the problem occurs. Third, with an expired password, and disabling public key authentication. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2005-Dec-06 22:53 UTC
[Bug 1065] password expiration and SSH keys don't go well together
http://bugzilla.mindrot.org/show_bug.cgi?id=1065 ------- Comment #12 from dtucker at zip.com.au 2005-12-07 09:53 ------- (From update of attachment 1036) This looks like the reason:>PAM: pam_chauthtok(): User not known to the underlying authentication moduleI suspect that the chauthtok() in the pam_ldap module relies on something set earlier during the authenticate(), and is bailing when it's not present due to the authentication being done via public-key and not PAM. If that's the case, I can't see anything sshd can do to make pam_chauthtok() work under those conditions, it would require (probably minor) surgery on pam_ldap. As a workaround you can try enabling UsePrivilegeSeparation: this will cause sshd to exec /usr/bin/password to change the password, rather than using pam_chauthtok() directly. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2005-Dec-07 05:56 UTC
[Bug 1065] password expiration and SSH keys don't go well together
http://bugzilla.mindrot.org/show_bug.cgi?id=1065 ------- Comment #13 from senthilkumar_sen at hotpop.com 2005-12-07 16:56 ------- There exists a description + workaround for the problem in HP-UX at http://docs.hp.com/en/6965/pam_authz_for_policy_wp_2_3.pdf . ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2005-Dec-07 08:17 UTC
[Bug 1065] password expiration and SSH keys don't go well together
http://bugzilla.mindrot.org/show_bug.cgi?id=1065 ------- Comment #14 from joss at debian.org 2005-12-07 19:17 ------- Thanks a lot, things indeed work with privilege separation enabled. (Privilege separation didn't work with LDAP in OpenSSH 3.6, that's why we had disabled it.) ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2005-Dec-07 09:33 UTC
[Bug 1065] password expiration and SSH keys don't go well together
http://bugzilla.mindrot.org/show_bug.cgi?id=1065
dtucker at zip.com.au changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution| |WONTFIX
------- Comment #15 from dtucker at zip.com.au 2005-12-07 20:33 -------
Cool. Like I said, I don't think there's anything that sshd can do in
the
pam_chauthtok() case and you'd need to modify pam_ldap to make it work.
Closing bug.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
Apparently Analagous Threads
- [Bug 1065] password expiration and SSH keys don't go well together
- [Bug 1065] password expiration and SSH keys don't go well together
- reading formatted txt file into a data frame
- Solaris password requirements not enforced
- [Bug 740] Sun's pam_ldap account management is not working