Hi, I'm using openssh3.1p1 and I'm having some problem with password aging with ssh protocol 2. Every time a password expires and I try to login I get the following message ssh username at hostname username at hostname's password: Warning: Your password has expired, please change it now Enter login password: removing root credentials would break the rpc services that use secure rpc on this host! root may use keylogout -f to do this (at your own risk)! Connection to hostname closed by remote host. Connection to hostname closed. But when ssh into the same server using ssh -1 username at hostname it works just fine. ssh -1 username at hostname username at hostname's password: Warning: Your password has expired, please change it now Enter login password: New password: Re-enter new password: sshd (SYSTEM): passwd successfully changed for username Last login: Wed Aug 28 11:27:17 2002 from 10.11.42.65 Can anybody help me how to get this working for protocol 2. Thanks R/Amulya
Hi, I'm using openssh3.1p1 and I'm having some problem with password aging with ssh protocol 2. Every time a password expires and I try to login I get the following message ssh username at hostname username at hostname's password: Warning: Your password has expired, please change it now Enter login password: removing root credentials would break the rpc services that use secure rpc on this host! root may use keylogout -f to do this (at your own risk)! Connection to hostname closed by remote host. Connection to hostname closed. But when ssh into the same server using ssh -1 username at hostname it works just fine. ssh -1 username at hostname username at hostname's password: Warning: Your password has expired, please change it now Enter login password: New password: Re-enter new password: sshd (SYSTEM): passwd successfully changed for username Last login: Wed Aug 28 11:27:17 2002 from 10.11.42.65 Can anybody help me how to get this working for protocol 2. Thanks R/Amulya
Amulya, This will only work on Solaris 8 with the version of OpenSSH you are running. Password aging will only work on Solaris 2.6 with current snapshots if you are not using privilege separation. If you are using privilege separation on the current release or snapshots I don't believe password aging works with any version of Solaris. Someone can correct me if I'm wrong. The main problem is that PAM on Linux and other open source operating systems has diverged substantially from PAM on Solaris (where it originated)...most PAM operations on Solaris need to run as root ...there was some discussion about this some time ago. I don't know if anyone is currently working on code to resolve these issues. -Scott Amulya Parthasarathy wrote:>Hi, >I'm using openssh3.1p1 and I'm having some problem with password aging >with ssh protocol 2. Every time a password expires and I try to login I >get the following message > >ssh username at hostname >username at hostname's password: >Warning: Your password has expired, please change it now >Enter login password: >removing root credentials would break the rpc services that >use secure rpc on this host! >root may use keylogout -f to do this (at your own risk)! >Connection to hostname closed by remote host. >Connection to hostname closed. > >But when ssh into the same server using ssh -1 username at hostname it >works just fine. >ssh -1 username at hostname >username at hostname's password: >Warning: Your password has expired, please change it now >Enter login password: >New password: >Re-enter new password: >sshd (SYSTEM): passwd successfully changed for username >Last login: Wed Aug 28 11:27:17 2002 from 10.11.42.65 > >Can anybody help me how to get this working for protocol 2. > >Thanks >R/Amulya > >_______________________________________________ >openssh-unix-dev at mindrot.org mailing list >http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > >
Scott, I an running this on SunOS 5.8 Generic_108528-12 sun4u sparc SUNW,Ultra-Enterprise. My configuration for sshd_config look like this. Port 22 Protocol 2,1 ListenAddress 0.0.0.0 HostKey /usr/local/etc/ssh_host_key HostKey /usr/local/etc/ssh_host_rsa_key HostKey /usr/local/etc/ssh_host_dsa_key KeyRegenerationInterval 3600 ServerKeyBits 768 SyslogFacility LOCAL7 LogLevel INFO LoginGraceTime 600 PermitRootLogin no StrictModes yes RSAAuthentication yes PubkeyAuthentication yes RhostsAuthentication no IgnoreRhosts yes RhostsRSAAuthentication no HostbasedAuthentication no PasswordAuthentication yes PermitEmptyPasswords no X11Forwarding yes X11DisplayOffset 10 PrintMotd no KeepAlive yes Banner /etc/issue Subsystem sftp /usr/local/libexec/sftp-server R/Amulya -----Original Message----- From: Scott Burch [mailto:scott.burch at camberwind.com] Sent: Wednesday, August 28, 2002 12:22 PM To: Amulya Parthasarathy Cc: openssh-unix-dev at mindrot.org Subject: Re: password aging problem with ssh protocol 2 Amulya, This will only work on Solaris 8 with the version of OpenSSH you are running. Password aging will only work on Solaris 2.6 with current snapshots if you are not using privilege separation. If you are using privilege separation on the current release or snapshots I don't believe password aging works with any version of Solaris. Someone can correct me if I'm wrong. The main problem is that PAM on Linux and other open source operating systems has diverged substantially from PAM on Solaris (where it originated)...most PAM operations on Solaris need to run as root ...there was some discussion about this some time ago. I don't know if anyone is currently working on code to resolve these issues. -Scott Amulya Parthasarathy wrote:>Hi, >I'm using openssh3.1p1 and I'm having some problem with password aging >with ssh protocol 2. Every time a password expires and I try to login I >get the following message > >ssh username at hostname >username at hostname's password: >Warning: Your password has expired, please change it now >Enter login password: >removing root credentials would break the rpc services that >use secure rpc on this host! >root may use keylogout -f to do this (at your own risk)! >Connection to hostname closed by remote host. >Connection to hostname closed. > >But when ssh into the same server using ssh -1 username at hostname it >works just fine. >ssh -1 username at hostname >username at hostname's password: >Warning: Your password has expired, please change it now >Enter login password: >New password: >Re-enter new password: >sshd (SYSTEM): passwd successfully changed for username >Last login: Wed Aug 28 11:27:17 2002 from 10.11.42.65 > >Can anybody help me how to get this working for protocol 2. > >Thanks >R/Amulya > >_______________________________________________ >openssh-unix-dev at mindrot.org mailing list >http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > > >
Larry_Bamford at ao.uscourts.gov
2002-Aug-29 17:02 UTC
password aging problem with ssh protocol 2
I'd like to add to this discussion, since I've had a similar problem. I
use OpenSSH 3.4p1 on Solaris 8, 7, 2.6, and 2.5.1. Most of the time I log
in successfully using public key authentication with no password challenge
(private key already cached). When the last change date for the password
is set to 0 or is otherwise expired, I get this:
local$ ssh remote
larry at remote's password: <enter correct password>
Permission denied, please try again:
larry at remote's password: <enter correct password again>
Received disconnect from <remote IP address>: 2: Too many authentication
failures for larry
local$
This happens whether or not I use privilege separation. To summarize (I
hope this chart translates):
On the OpenSSH server...
password exists
password is locked (*LK*)
last change date field is 0 or otherwise expired
public key authentication is defeated by inability to log in to change the
password
public key authentication is defeated by inability to log in to change the
password
last change date field is current or empty
public key authentication works with no password challenge
public key authentication works with no password challenge
The last change date field is the first field after the encrypted password
in the shadow file. I won't go into all the ways this field can get
screwed up, but there are plenty of normal procedures that will result in
locking me out. Whether the password expired naturally or was forced so
by root, the end behavior is the same.
The other observation I have is with an expired or forced expired
password, I get the following in the authlog:
Aug 21 16:16:26 jdc30 sshd[14659]: User larry password has expired (root
forced) <-- OR (password aged)
Aug 21 16:16:26 jdc30 last message repeated 1 time
Aug 21 16:16:26 jdc30 sshd[14659]: input_userauth_request: illegal user
larry
Aug 21 16:16:26 jdc30 last message repeated 1 time
Aug 21 16:16:26 jdc30 sshd[14659]: Failed none for illegal user larry from
156.132.21.168 port 34182 ssh2
Aug 21 16:16:26 jdc30 last message repeated 1 time
Aug 21 16:16:27 jdc30 sshd[14659]: Failed publickey for illegal user larry
from 156.132.21.168 port 34182 ssh2
Aug 21 16:16:27 jdc30 last message repeated 4 times
Aug 21 16:16:27 jdc30 sshd[14659]: Failed keyboard-interactive for illegal
user larry from 156.132.21.168 port 34182 ssh2
Aug 21 16:16:27 jdc30 last message repeated 3 times
Aug 21 16:16:27 jdc30 sshd[14659]: Failed keyboard-interactive for illegal
user larry from 156.132.21.168 port 34182 ssh2
It declares me to be an "illegal user". And sshd -d -d -d output
shows
"input_userauth_request: illegal user larry"
Does this help anybody isolate where the code is failing? Is sshd
misinterpreting the expired state of my password? But why is my password
being consulted at all when I have sufficient public key authentication to
get in? Why did publickey fail? Because I was branded an "illegal
user"?
Scott Burch <scott.burch at camberwind.com>
Sent by: openssh-unix-dev-admin at mindrot.org
08/28/02 03:21 PM
To: Amulya Parthasarathy <amulyap at getsmart.com>
cc: openssh-unix-dev at mindrot.org
Subject: Re: password aging problem with ssh protocol 2
Amulya,
This will only work on Solaris 8 with the version of OpenSSH you are
running. Password aging will only work on Solaris 2.6 with current
snapshots if you are not using privilege separation. If you are using
privilege separation on the current release or snapshots I don't believe
password aging works with any version of Solaris. Someone can correct me
if I'm wrong. The main problem is that PAM on Linux and other open
source operating systems has diverged substantially from PAM on Solaris
(where it originated)...most PAM operations on Solaris need to run as
root ...there was some discussion about this some time ago. I don't know
if anyone is currently working on code to resolve these issues.
-Scott
Amulya Parthasarathy wrote:
>Hi,
>I'm using openssh3.1p1 and I'm having some problem with password
aging
>with ssh protocol 2. Every time a password expires and I try to login I
>get the following message
>
>ssh username at hostname
>username at hostname's password:
>Warning: Your password has expired, please change it now
>Enter login password:
>removing root credentials would break the rpc services that
>use secure rpc on this host!
>root may use keylogout -f to do this (at your own risk)!
>Connection to hostname closed by remote host.
>Connection to hostname closed.
>
>But when ssh into the same server using ssh -1 username at hostname it
>works just fine.
>ssh -1 username at hostname
>username at hostname's password:
>Warning: Your password has expired, please change it now
>Enter login password:
>New password:
>Re-enter new password:
>sshd (SYSTEM): passwd successfully changed for username
>Last login: Wed Aug 28 11:27:17 2002 from 10.11.42.65
>
>Can anybody help me how to get this working for protocol 2.
>
>Thanks
>R/Amulya
>
>_______________________________________________
>openssh-unix-dev at mindrot.org mailing list
>http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>
>
>
_______________________________________________
openssh-unix-dev at mindrot.org mailing list
http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
On Wed, Aug 28, 2002 at 11:36:09AM -0700, Amulya Parthasarathy wrote:> I'm using openssh3.1p1 and I'm having some problem with password aging > with ssh protocol 2. Every time a password expires and I try to login I > get the following message > > ssh username at hostname > username at hostname's password: > Warning: Your password has expired, please change it now > Enter login password: > removing root credentials would break the rpc services that > use secure rpc on this host! > root may use keylogout -f to do this (at your own risk)! > Connection to hostname closed by remote host. > Connection to hostname closed. > > But when ssh into the same server using ssh -1 username at hostname it > works just fine. > ssh -1 username at hostname > username at hostname's password: > Warning: Your password has expired, please change it now > Enter login password: > New password: > Re-enter new password: > sshd (SYSTEM): passwd successfully changed for username > Last login: Wed Aug 28 11:27:17 2002 from 10.11.42.65 > > Can anybody help me how to get this working for protocol 2.Password change was disabled post 3.1 due to issues raised in bug 188. I have incorporated changes made by Solar Designer into CVS but have left password change disabled, until I had time to verify the changes more thoroughly. I believe they may address 188 issues (Nico, can you look at this?). Please test with current using the patch below. That said I have seen the issue above on Solaris 8, and I don't know what the cause is. I also can't explain why it works with protocol 1. As I recall, HP-UX 11 does work. Index: auth-pam.c ==================================================================RCS file: /var/cvs/openssh/auth-pam.c,v retrieving revision 1.54 diff -u -r1.54 auth-pam.c --- auth-pam.c 28 Jul 2002 20:24:08 -0000 1.54 +++ auth-pam.c 29 Aug 2002 20:45:38 -0000 @@ -256,7 +256,7 @@ case PAM_SUCCESS: /* This is what we want */ break; -#if 0 +#if 1 case PAM_NEW_AUTHTOK_REQD: message_cat(&__pam_msg, use_privsep ? NEW_AUTHTOK_MSG_PRIVSEP : NEW_AUTHTOK_MSG);
Reasonably Related Threads
- openssh password expiration problem
- sshd can't change expired password on Sol8 with Openssh3.0p1 + PAM
- 2.9.9p2 and Solaris-2.8 PAM: Cannot delete credentials[7]: Permission denied
- GSOC 2016 Clustering of Search Results in Xapian
- Compiling OPENssh to use random package