openssh bugs - Oct 2017 - [Bug 2795] New: Login denied for expired passwords, no password change prompt offered

https://bugzilla.mindrot.org/show_bug.cgi?id=2795

            Bug ID: 2795
           Summary: Login denied for expired passwords, no password change
                    prompt offered
           Product: Portable OpenSSH
           Version: 7.6p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sftp
          Assignee: unassigned-bugs at mindrot.org
          Reporter: z.pekar at gmail.com

If user's password has/was expired (e.g. with passwd --expire username)
- sftp will fail to login to the ssh server, saying:
Connection closed

If the same user tries to connect using ssh - it prompts him to change
the expired password. I think sftp should behave the same way and
prompt user to change the expired password.

Thank you!

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2795

ab231 <z.pekar at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |z.pekar at gmail.com
          Component|sftp                        |sshd

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2795

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at zip.com.au

--- Comment #1 from Darren Tucker <dtucker at zip.com.au> ---
The mechanism sshd currently uses to perform the password change is to
exec /bin/passwd on the tty of the logged in user.  An sftp conection
has no pty on the server side, so that's not possible in that case.

The reasons it's done that way are complicated, I will elaborate over
on bug #2796.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2795

--- Comment #2 from Darren Tucker <dtucker at zip.com.au> ---
That said, there is one existing mechanism that should work in that
case UsePAM=yes plus ChallengeResponseAuthentication=yes.  That will
call pam_chauthtok() with a conversation function that can interact
with the ssh clinet via the keyboard-interactive SSH auth method.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2795

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |WONTFIX
             Status|NEW                         |RESOLVED

--- Comment #3 from Darren Tucker <dtucker at dtucker.net> ---
There's not much we can do for this specific case other than
keyboard-interactive/pam, which already exists.  I'm closing this bug
but I'll keep #2796 open in case a suitable interface does become
available.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2795

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #4 from Damien Miller <djm at mindrot.org> ---
closing resolved bugs as of 8.6p1 release

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.