openssh unix dev - Oct 2002 - SSH Bug 3.5p1 Expired Passwords

Hello

in the new Openssh 3.5p1 is the sam Bug as in the 3.4p1 :-(
When a User try to login with a expired Passwort, SSH denys the Acces to the
System

fbeckman at zvadmxz:/home/fbeckman # ssh -v fbeckman at xy
OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090605f
debug1: Reading configuration data /etc/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: restore_uid
debug1: ssh_connect: getuid 0 geteuid 0 anon 1
debug1: Connecting to webmann [129.8.140.69] port 22.
debug1: temporarily_use_uid: 0/1 (e=0)
debug1: restore_uid
debug1: temporarily_use_uid: 0/1 (e=0)
debug1: restore_uid
debug1: Connection established.
debug1: identity file /.ssh/identity type 0
debug1: identity file /.ssh/id_rsa type 1
debug1: identity file /.ssh/id_dsa type 2
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.5p1
debug1: match: OpenSSH_3.5p1 pat OpenSSH*
debug1: Local version string SSH-1.5-OpenSSH_3.1p1
debug1: Waiting for server public key.
debug1: Received server public key (768 bits) and host key (1024 bits).
debug1: Host 'xy' is known and matches the RSA1 host key.
debug1: Found key in /etc/ssh_known_hosts:1662
debug1: Encryption type: blowfish
debug1: Sent encrypted session key.
debug1: Installing crc compensation attack detector.
debug1: Received encrypted confirmation.
debug1: RSA authentication using agent refused.
debug1: Trying RSA authentication with key '/.ssh/identity'
debug1: Server refused our key.
debug1: Doing challenge response authentication.
debug1: No challenge.
debug1: Doing password authentication.
fbeckman at xy's password:
Permission denied, please try again.
fbeckman at xy's password:
Permission denied, please try again.
fbeckman at xy's password:
Permission denied.
debug1: Calling cleanup 0x43804(0x0)

--------------------------------------------------------------------------------

The old 3.1.p1 was better look here:

fbeckman at zvadmxy:/home/fbeckman # ssh -v fbeckman at xyz
OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090605f
debug1: Reading configuration data /etc/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: restore_uid
debug1: ssh_connect: getuid 0 geteuid 0 anon 1
debug1: Connecting to webmann [139.7.180.69] port 22.
debug1: temporarily_use_uid: 0/1 (e=0)
debug1: restore_uid
debug1: temporarily_use_uid: 0/1 (e=0)
debug1: restore_uid
debug1: Connection established.
debug1: identity file /.ssh/identity type 0
debug1: identity file /.ssh/id_rsa type 1
debug1: identity file /.ssh/id_dsa type 2
debug1: Remote protocol version 1.99, remote software version OpenSSH_3.1p1
debug1: match: OpenSSH_3.1p1 pat OpenSSH*
debug1: Local version string SSH-1.5-OpenSSH_3.1p1
debug1: Waiting for server public key.
debug1: Received server public key (768 bits) and host key (1024 bits).
debug1: Host 'xyz' is known and matches the RSA1 host key.
debug1: Found key in /etc/ssh_known_hosts:1662
debug1: Encryption type: blowfish
debug1: Sent encrypted session key.
debug1: Installing crc compensation attack detector.
debug1: Received encrypted confirmation.
debug1: RSA authentication using agent refused.
debug1: Trying RSA authentication with key '/.ssh/identity'
debug1: Server refused our key.
debug1: Doing challenge response authentication.
debug1: No challenge.
debug1: Doing password authentication.
fbeckman at xyz's password:
debug1: Requesting pty.
debug1: Requesting X11 forwarding with authentication spoofing.
debug1: fd 4 setting TCP_NODELAY
debug1: Requesting shell.
debug1: Entering interactive session.
Warning: Your password has expired, please change it now
Enter login password:
New password:
Re-enter new password:
sshd (SYSTEM): passwd successfully changed for fbeckman
Last login: Wed Oct 16 15:12:13 2002 from xvy

Greetings from Germany

Frank Beckmann
-- 
Frank	Beckmann
Abt. 	TOIU
Tel: 	0211 533-5758
Fax:	0211 533-1451
Mail	Frank.Beckmann at vodafone.com

Frank Beckmann wrote:
> in the new Openssh 3.5p1 is the sam Bug as in the 3.4p1 :-(
> When a User try to login with a expired Passwort, SSH denys the Acces to
the System
In pam-auth.c, change

#if 0
                case PAM_NEW_AUTHTOK_REQD:

to

#if 1
                case PAM_NEW_AUTHTOK_REQD:

and set "UsePrivilegeSeparation no" in sshd_config.

People have reported mixed success, so your milage may vary.

Let the list know how it goes; one of the reasons this isn't enabled in
3.5p1 is lack of testing.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

This method ONLY works for me if I am forcing the use of SSH protocol 1.

It does NOT work for SSH protocol 2.

For protocol 2, I get the following:
login as: jdoe
jdoe at pop's password:
Warning: Your password has expired, please change it now.
Enter login password:

I enter the login password again and then I get "Connection closed by
remote host".

Any suggestions to get this working with protocol 2?

Jeff
>>> Darren Tucker <dtucker at zip.com.au> 10/16/02 09:08AM
>>>
Frank Beckmann wrote:
> in the new Openssh 3.5p1 is the sam Bug as in the 3.4p1 :-(
> When a User try to login with a expired Passwort, SSH denys the Acces to
the System
In pam-auth.c, change

#if 0
                case PAM_NEW_AUTHTOK_REQD:

to

#if 1
                case PAM_NEW_AUTHTOK_REQD:

and set "UsePrivilegeSeparation no" in sshd_config.

People have reported mixed success, so your milage may vary.

Let the list know how it goes; one of the reasons this isn't enabled in
3.5p1 is lack of testing.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev at mindrot.org mailing list
http://www.mindrot.org/mailman/listinfo/openssh-unix-dev