Knox, Timothy P - Eagan, MN
2003-Dec-02 23:37 UTC
Sun Kerberos Password Expiration Problems with OpenSSH 3.7.1p2
I am running Solaris 8 with the Basic Security Module (BSM) loaded and Sun's Enterprise Authentication Mechanism (SEAM) installed. Our servers are using Sun One Directory Services (LDAP) for authorization and Sun's Kerberos 5 implementation for authentication. We have been using OpenSSH 3.4p1 with OpenSSL 0.9.6f and everything has been working fine. We are updating our OpenSSH and OpenSSL versions to 3.7.1p2 and 0.9.7c, respectively. Everything works fine except for having a Kerberos users' password expired, either through modprinc +needchange user or through an expiration date that has already passed. When I connect to the 3.7.1p2 system from a 3.4p1 system, I log in and am prompted to change my Kerberos password (twice) and then allowed in. When I connect to the 3.7.1p2 system from another 3.7.1p2 system, I log in without being prompted to change my Kerberos password. The next time I log in using a 3.4p1 system, I am then prompted. When I connect to the 3.7.1p2 system from my Windows based workstation using PuTTY (0.53b was needed because of the ChallengeResponseAuthentication), I log in without being prompted to change my Kerberos password. When I connect to a 3.4p1 system from my Windows based workstation using PuTTY (still using 0.53b), I log in and am prompted to change my Kerberos password (twice) and then allowed in. This leads me to a couple of conclusions: 1) The problem is OpenSSH, not the new version of PuTTY. 2) The problem did not exist in the older version of OpenSSH. Therefore, I am submitting this e-mail in search of assistance from anyone who has any solutions for me. I am attaching my sshd_config file in line for troubleshooting purposes. Please let me know if you need any more information or have any ideas for me. Thanks, -Timothy P. Knox #AFSTokenPassing no AllowGroups * AllowTcpForwarding yes AllowUsers * AuthorizedKeysFile .ssh/authorized_keys Banner /etc/issue ChallengeResponseAuthentication yes Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-c bc ClientAliveInterval 0 ClientAliveCountMax 3 Compression yes #DenyGroups * #DenyUsers * GatewayPorts no HostbasedAuthentication no HostKey /etc/ssh/ssh_host_rsa_key IgnoreRhosts yes IgnoreUserKnownHosts no KeepAlive yes #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTgtPassing no #KerberosTicketCleanup yes KeyRegenerationInterval 3600 Port 22 ListenAddress 0.0.0.0 LoginGraceTime 300 LogLevel INFO MACs hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96 MaxStartups 10 #PAMAuthenticationViaKbdInt no PasswordAuthentication no PermitEmptyPasswords no PermitRootLogin no PidFile /var/run/sshd.pid PrintLastLog yes PrintMotd no Protocol 2 PubkeyAuthentication yes #RhostsAuthentication no RhostsRSAAuthentication no RSAAuthentication no ServerKeyBits 768 StrictModes yes Subsystem sftp /usr/libexec/sftp-server SyslogFacility AUTH UseLogin no UsePAM yes UsePrivilegeSeparation no #VerifyReverseMapping no X11DisplayOffset 10 X11Forwarding yes X11UseLocalhost yes XAuthLocation /usr/openwin/bin/xauth
Darren Tucker
2003-Dec-02 23:55 UTC
Sun Kerberos Password Expiration Problems with OpenSSH 3.7.1p2
"Knox, Timothy P - Eagan, MN" wrote:> > I am running Solaris 8 with the Basic Security Module (BSM) loaded and > Sun's Enterprise Authentication Mechanism (SEAM) installed. Our servers > are using Sun One Directory Services (LDAP) for authorization and Sun's > Kerberos 5 implementation for authentication. We have been using OpenSSH > 3.4p1 with OpenSSL 0.9.6f and everything has been working fine. > > We are updating our OpenSSH and OpenSSL versions to 3.7.1p2 and 0.9.7c, > respectively. > > Everything works fine except for having a Kerberos users' password > expired, either through modprinc +needchange user or through an > expiration date that has already passed.Try the password expiration patch (pwexp26) here: http://www.zip.com.au/~dtucker/openssh/ It should work in your configuration. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Possibly Parallel Threads
- 3.8p1 password expiry, Solaris 8
- [Bug 1167] sftp fails to HP - UX os even when pubic keys are present in HP-UX
- Problem found in OpenSSH 3.7.1p2 with OpenSSL 0.9.7c installation on HP-UX11.0
- Possible security flaw in OpenSSH and/or pam_krb5
- [Bug 1168] sftp fails to HP - UX os even when pubic keys are present in HP-UX