openssh unix dev - Mar 2003 - [Bug 511] PublickKeyAuthentication failures when account password expires

http://bugzilla.mindrot.org/show_bug.cgi?id=511

           Summary: PublickKeyAuthentication failures when account password
                    expires
           Product: Portable OpenSSH
           Version: 3.4p1
          Platform: All
        OS/Version: Solaris
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ssh
        AssignedTo: openssh-unix-dev at mindrot.org
        ReportedBy: jim.a.davidson at bt.com


Some time ago I reported this problem with AIX and I think Darren Tucker was 
kind enough to supply a patch,such that even if the account password had 
expired,we could still use PublicKeyAuthentication to access the remote machine 
using that account.I now seem to have a similar problem with Solaris.Is there a 
patch available for Solaris to allow us to do this.
We typically usr root account to remotely manage machines and usually set it to
PermitRootLogin without-password as well as disabling remote logins in the o/s.
We also use non privileged accounts to sftp stuff around in batch mode and do 
not want to see password change prompts or connection failures because the 
password has expired.
Thanks.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=511





------- Additional Comments From dtucker at zip.com.au  2003-03-18 08:53 -------
I think you're referring to bug #383, and if so that was about ignoring the 
AIX-specific "rlogin" attribute for root in favour of PermitRootLogin,
not
expiring passwords.

Is there any reason you can't turn off password expiration for accounts
where
you don't want failures due to expired passwords?



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=511





------- Additional Comments From jim.a.davidson at bt.com  2003-03-18 09:14
-------
Yes,I was in error.
Our Security people insist on passwords being expired on any account that is 
logged into whether locally or not.
If we authenticate using PublicKeyAuthentication do we really need to do the 
account password checking ?
Thanks.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=511





------- Additional Comments From dtucker at zip.com.au  2003-03-18 20:49 -------
Currently sshd checks for password/account expiry very early in the login 
process (before the authentication methods are negotiated, in 
auth.c:allowed_user()) so it's probably not a trivial change to omit this
check
for public-key authentication only.

I don't think it's a good idea to do this even if it was easy.  (Note
that I
didn't think the AIX rlogin thing was a good idea at first either :-)

AIX currently does this (doesn't expire passwords via SSH password or 
public-key) and I'm trying to get that *fixed*.  It's OK until you need
to get
in some way other than ssh (eg sshd is broken or you're at the console) then
you're screwed.

Also note that on Solaris cron jobs will fail for accounts with expired 
passwords (on Solaris 8 you get "! bad user (testuser)..." on
cron's log).

If you don't want password expiry, don't enable it for those accounts. 
If
you must have it enabled, set the password to something random (eg "openssl
rand
6 | mimencode | autopasswd batchaccount") once per month via cron :-).



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=511





------- Additional Comments From jim.a.davidson at bt.com  2003-03-18 23:00
-------
What you are saying makes good sense.Thanks for your assistance,I will make 
these account passwords non expirable and also locked which should keep our 
security people happy.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=511





------- Additional Comments From dtucker at zip.com.au  2003-03-19 08:19 -------
I suggest using the no-password string "*NP*" in the password field to
disable
password authentication as the Solaris system accounts do, rather than locking 
the account with passwd -l.

OpenSSH currently allows public-key logins to locked accounts on some 
platforms, including Solaris, but this may change in future (see bug #442).



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=511

dtucker at zip.com.au changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID



------- Additional Comments From dtucker at zip.com.au  2003-03-23 20:24 -------
Closing as "INVALID".  Unfortunately there doesn't seem to be a
"NOTABUG" or
"FEATURE" :-).



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.