Manton, Doug
2003-Oct-02 12:10 UTC
User unable to log into Solaris when password has been expired by root
I have a question. Our process for creating a new user account on our Solaris systems is to force expire (passwd -f) the user's password so they have to chose their own when they log in. However, since building OpenSSH 3.7.1p2 I find that new users are unable to log in with the following syslog messages: Oct 2 12:37:42 hostname sshd[1754]: User tester password has expired (root forced) Oct 2 12:37:42 hostname sshd[1754]: Failed none for illegal user tester from 10.10.67.135 port 33595 ssh2 Oct 2 12:37:45 hostname sshd[1754]: Failed password for illegal user tester from 10.10.67.135 port 33595 ssh2 What is the rationale behind this behaviour? It's not like I have locked the account -- how can I ensure my new users get access? Can I simply modify the test in auth.c or is there a 'proper' way to achieve the desired behaviour? Many thanks, --- Doug Manton, Managed Security Services AT&T Business, Building 6000 Langstone Technology Park, Havant, United Kingdom This message and any attachments to it contain business information exclusively intended for the recipients. Do not forward or distribute it to anyone else. If you have received this e-mail in error, please reply to dmanton at emea.att.com to report the error and then delete this message from your system. Registered in England, Branch No. BR004993, the UK branch of AT&T Global Network Services (UK) B.V., a limited liability company registered in the Netherlands.
Darren Tucker
2003-Oct-02 12:22 UTC
User unable to log into Solaris when password has been expired byroot
"Manton, Doug" wrote:> > I have a question. > > Our process for creating a new user account on our Solaris systems is to > force expire (passwd -f) the user's password so they have to chose their own > when they log in. However, since building OpenSSH 3.7.1p2 I find that new > users are unable to log in with the following syslog messages: > > Oct 2 12:37:42 hostname sshd[1754]: User tester password has expired > (root forced) > Oct 2 12:37:42 hostname sshd[1754]: Failed none for illegal user tester > from 10.10.67.135 port 33595 ssh2 > Oct 2 12:37:45 hostname sshd[1754]: Failed password for illegal user > tester from 10.10.67.135 port 33595 ssh2 > > What is the rationale behind this behaviour? It's not like I have locked > the account -- how can I ensure my new users get access? Can I simply > modify the test in auth.c or is there a 'proper' way to achieve the desired > behaviour?Strictly speaking, it's because sshd supports password expiry (ie it knows that the password is expired), but doesn't (yet) support forcing changes of expired passwords. Supporting that has been a work-in-progress for, oh, about a year now :-) It should be fixed soon. Really. I mean it this time. Until then, you can apply the password expiry patch here: http://www.zip.com.au/~dtucker/openssh/ -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.