Hi, I'm using openssh3.1p1 and I'm having some problem with password aging with ssh protocol 2. Every time a password expires and I try to login I get the following message ssh username at hostname username at hostname's password: Warning: Your password has expired, please change it now Enter login password: removing root credentials would break the rpc services that use secure rpc on this host! root may use keylogout -f to do this (at your own risk)! Connection to hostname closed by remote host. Connection to hostname closed. But when ssh into the same server using ssh -1 username at hostname it works just fine. ssh -1 username at hostname username at hostname's password: Warning: Your password has expired, please change it now Enter login password: New password: Re-enter new password: sshd (SYSTEM): passwd successfully changed for username Last login: Wed Aug 28 11:27:17 2002 from 10.11.42.65 Can anybody help me how to get this working for protocol 2. Thanks R/Amulya
Hi, I'm using openssh3.1p1 and I'm having some problem with password aging with ssh protocol 2. Every time a password expires and I try to login I get the following message ssh username at hostname username at hostname's password: Warning: Your password has expired, please change it now Enter login password: removing root credentials would break the rpc services that use secure rpc on this host! root may use keylogout -f to do this (at your own risk)! Connection to hostname closed by remote host. Connection to hostname closed. But when ssh into the same server using ssh -1 username at hostname it works just fine. ssh -1 username at hostname username at hostname's password: Warning: Your password has expired, please change it now Enter login password: New password: Re-enter new password: sshd (SYSTEM): passwd successfully changed for username Last login: Wed Aug 28 11:27:17 2002 from 10.11.42.65 Can anybody help me how to get this working for protocol 2. Thanks R/Amulya
Amulya, This will only work on Solaris 8 with the version of OpenSSH you are running. Password aging will only work on Solaris 2.6 with current snapshots if you are not using privilege separation. If you are using privilege separation on the current release or snapshots I don't believe password aging works with any version of Solaris. Someone can correct me if I'm wrong. The main problem is that PAM on Linux and other open source operating systems has diverged substantially from PAM on Solaris (where it originated)...most PAM operations on Solaris need to run as root ...there was some discussion about this some time ago. I don't know if anyone is currently working on code to resolve these issues. -Scott Amulya Parthasarathy wrote:>Hi, >I'm using openssh3.1p1 and I'm having some problem with password aging >with ssh protocol 2. Every time a password expires and I try to login I >get the following message > >ssh username at hostname >username at hostname's password: >Warning: Your password has expired, please change it now >Enter login password: >removing root credentials would break the rpc services that >use secure rpc on this host! >root may use keylogout -f to do this (at your own risk)! >Connection to hostname closed by remote host. >Connection to hostname closed. > >But when ssh into the same server using ssh -1 username at hostname it >works just fine. >ssh -1 username at hostname >username at hostname's password: >Warning: Your password has expired, please change it now >Enter login password: >New password: >Re-enter new password: >sshd (SYSTEM): passwd successfully changed for username >Last login: Wed Aug 28 11:27:17 2002 from 10.11.42.65 > >Can anybody help me how to get this working for protocol 2. > >Thanks >R/Amulya > >_______________________________________________ >openssh-unix-dev at mindrot.org mailing list >http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > >
Scott, I an running this on SunOS 5.8 Generic_108528-12 sun4u sparc SUNW,Ultra-Enterprise. My configuration for sshd_config look like this. Port 22 Protocol 2,1 ListenAddress 0.0.0.0 HostKey /usr/local/etc/ssh_host_key HostKey /usr/local/etc/ssh_host_rsa_key HostKey /usr/local/etc/ssh_host_dsa_key KeyRegenerationInterval 3600 ServerKeyBits 768 SyslogFacility LOCAL7 LogLevel INFO LoginGraceTime 600 PermitRootLogin no StrictModes yes RSAAuthentication yes PubkeyAuthentication yes RhostsAuthentication no IgnoreRhosts yes RhostsRSAAuthentication no HostbasedAuthentication no PasswordAuthentication yes PermitEmptyPasswords no X11Forwarding yes X11DisplayOffset 10 PrintMotd no KeepAlive yes Banner /etc/issue Subsystem sftp /usr/local/libexec/sftp-server R/Amulya -----Original Message----- From: Scott Burch [mailto:scott.burch at camberwind.com] Sent: Wednesday, August 28, 2002 12:22 PM To: Amulya Parthasarathy Cc: openssh-unix-dev at mindrot.org Subject: Re: password aging problem with ssh protocol 2 Amulya, This will only work on Solaris 8 with the version of OpenSSH you are running. Password aging will only work on Solaris 2.6 with current snapshots if you are not using privilege separation. If you are using privilege separation on the current release or snapshots I don't believe password aging works with any version of Solaris. Someone can correct me if I'm wrong. The main problem is that PAM on Linux and other open source operating systems has diverged substantially from PAM on Solaris (where it originated)...most PAM operations on Solaris need to run as root ...there was some discussion about this some time ago. I don't know if anyone is currently working on code to resolve these issues. -Scott Amulya Parthasarathy wrote:>Hi, >I'm using openssh3.1p1 and I'm having some problem with password aging >with ssh protocol 2. Every time a password expires and I try to login I >get the following message > >ssh username at hostname >username at hostname's password: >Warning: Your password has expired, please change it now >Enter login password: >removing root credentials would break the rpc services that >use secure rpc on this host! >root may use keylogout -f to do this (at your own risk)! >Connection to hostname closed by remote host. >Connection to hostname closed. > >But when ssh into the same server using ssh -1 username at hostname it >works just fine. >ssh -1 username at hostname >username at hostname's password: >Warning: Your password has expired, please change it now >Enter login password: >New password: >Re-enter new password: >sshd (SYSTEM): passwd successfully changed for username >Last login: Wed Aug 28 11:27:17 2002 from 10.11.42.65 > >Can anybody help me how to get this working for protocol 2. > >Thanks >R/Amulya > >_______________________________________________ >openssh-unix-dev at mindrot.org mailing list >http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > >
Larry_Bamford at ao.uscourts.gov
2002-Aug-29 17:02 UTC
password aging problem with ssh protocol 2
I'd like to add to this discussion, since I've had a similar problem. I use OpenSSH 3.4p1 on Solaris 8, 7, 2.6, and 2.5.1. Most of the time I log in successfully using public key authentication with no password challenge (private key already cached). When the last change date for the password is set to 0 or is otherwise expired, I get this: local$ ssh remote larry at remote's password: <enter correct password> Permission denied, please try again: larry at remote's password: <enter correct password again> Received disconnect from <remote IP address>: 2: Too many authentication failures for larry local$ This happens whether or not I use privilege separation. To summarize (I hope this chart translates): On the OpenSSH server... password exists password is locked (*LK*) last change date field is 0 or otherwise expired public key authentication is defeated by inability to log in to change the password public key authentication is defeated by inability to log in to change the password last change date field is current or empty public key authentication works with no password challenge public key authentication works with no password challenge The last change date field is the first field after the encrypted password in the shadow file. I won't go into all the ways this field can get screwed up, but there are plenty of normal procedures that will result in locking me out. Whether the password expired naturally or was forced so by root, the end behavior is the same. The other observation I have is with an expired or forced expired password, I get the following in the authlog: Aug 21 16:16:26 jdc30 sshd[14659]: User larry password has expired (root forced) <-- OR (password aged) Aug 21 16:16:26 jdc30 last message repeated 1 time Aug 21 16:16:26 jdc30 sshd[14659]: input_userauth_request: illegal user larry Aug 21 16:16:26 jdc30 last message repeated 1 time Aug 21 16:16:26 jdc30 sshd[14659]: Failed none for illegal user larry from 156.132.21.168 port 34182 ssh2 Aug 21 16:16:26 jdc30 last message repeated 1 time Aug 21 16:16:27 jdc30 sshd[14659]: Failed publickey for illegal user larry from 156.132.21.168 port 34182 ssh2 Aug 21 16:16:27 jdc30 last message repeated 4 times Aug 21 16:16:27 jdc30 sshd[14659]: Failed keyboard-interactive for illegal user larry from 156.132.21.168 port 34182 ssh2 Aug 21 16:16:27 jdc30 last message repeated 3 times Aug 21 16:16:27 jdc30 sshd[14659]: Failed keyboard-interactive for illegal user larry from 156.132.21.168 port 34182 ssh2 It declares me to be an "illegal user". And sshd -d -d -d output shows "input_userauth_request: illegal user larry" Does this help anybody isolate where the code is failing? Is sshd misinterpreting the expired state of my password? But why is my password being consulted at all when I have sufficient public key authentication to get in? Why did publickey fail? Because I was branded an "illegal user"? Scott Burch <scott.burch at camberwind.com> Sent by: openssh-unix-dev-admin at mindrot.org 08/28/02 03:21 PM To: Amulya Parthasarathy <amulyap at getsmart.com> cc: openssh-unix-dev at mindrot.org Subject: Re: password aging problem with ssh protocol 2 Amulya, This will only work on Solaris 8 with the version of OpenSSH you are running. Password aging will only work on Solaris 2.6 with current snapshots if you are not using privilege separation. If you are using privilege separation on the current release or snapshots I don't believe password aging works with any version of Solaris. Someone can correct me if I'm wrong. The main problem is that PAM on Linux and other open source operating systems has diverged substantially from PAM on Solaris (where it originated)...most PAM operations on Solaris need to run as root ...there was some discussion about this some time ago. I don't know if anyone is currently working on code to resolve these issues. -Scott Amulya Parthasarathy wrote:>Hi, >I'm using openssh3.1p1 and I'm having some problem with password aging >with ssh protocol 2. Every time a password expires and I try to login I >get the following message > >ssh username at hostname >username at hostname's password: >Warning: Your password has expired, please change it now >Enter login password: >removing root credentials would break the rpc services that >use secure rpc on this host! >root may use keylogout -f to do this (at your own risk)! >Connection to hostname closed by remote host. >Connection to hostname closed. > >But when ssh into the same server using ssh -1 username at hostname it >works just fine. >ssh -1 username at hostname >username at hostname's password: >Warning: Your password has expired, please change it now >Enter login password: >New password: >Re-enter new password: >sshd (SYSTEM): passwd successfully changed for username >Last login: Wed Aug 28 11:27:17 2002 from 10.11.42.65 > >Can anybody help me how to get this working for protocol 2. > >Thanks >R/Amulya > >_______________________________________________ >openssh-unix-dev at mindrot.org mailing list >http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > >_______________________________________________ openssh-unix-dev at mindrot.org mailing list http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
On Wed, Aug 28, 2002 at 11:36:09AM -0700, Amulya Parthasarathy wrote:> I'm using openssh3.1p1 and I'm having some problem with password aging > with ssh protocol 2. Every time a password expires and I try to login I > get the following message > > ssh username at hostname > username at hostname's password: > Warning: Your password has expired, please change it now > Enter login password: > removing root credentials would break the rpc services that > use secure rpc on this host! > root may use keylogout -f to do this (at your own risk)! > Connection to hostname closed by remote host. > Connection to hostname closed. > > But when ssh into the same server using ssh -1 username at hostname it > works just fine. > ssh -1 username at hostname > username at hostname's password: > Warning: Your password has expired, please change it now > Enter login password: > New password: > Re-enter new password: > sshd (SYSTEM): passwd successfully changed for username > Last login: Wed Aug 28 11:27:17 2002 from 10.11.42.65 > > Can anybody help me how to get this working for protocol 2.Password change was disabled post 3.1 due to issues raised in bug 188. I have incorporated changes made by Solar Designer into CVS but have left password change disabled, until I had time to verify the changes more thoroughly. I believe they may address 188 issues (Nico, can you look at this?). Please test with current using the patch below. That said I have seen the issue above on Solaris 8, and I don't know what the cause is. I also can't explain why it works with protocol 1. As I recall, HP-UX 11 does work. Index: auth-pam.c ==================================================================RCS file: /var/cvs/openssh/auth-pam.c,v retrieving revision 1.54 diff -u -r1.54 auth-pam.c --- auth-pam.c 28 Jul 2002 20:24:08 -0000 1.54 +++ auth-pam.c 29 Aug 2002 20:45:38 -0000 @@ -256,7 +256,7 @@ case PAM_SUCCESS: /* This is what we want */ break; -#if 0 +#if 1 case PAM_NEW_AUTHTOK_REQD: message_cat(&__pam_msg, use_privsep ? NEW_AUTHTOK_MSG_PRIVSEP : NEW_AUTHTOK_MSG);
Reasonably Related Threads
- openssh password expiration problem
- sshd can't change expired password on Sol8 with Openssh3.0p1 + PAM
- 2.9.9p2 and Solaris-2.8 PAM: Cannot delete credentials[7]: Permission denied
- GSOC 2016 Clustering of Search Results in Xapian
- Compiling OPENssh to use random package