openssh unix dev - Dec 2003 - Sun Kerberos Password Expiration Problems with OpenSSH 3.7.1p2

I am running Solaris 8 with the Basic Security Module (BSM) loaded and
Sun's Enterprise Authentication Mechanism (SEAM) installed. Our servers
are using Sun One Directory Services (LDAP) for authorization and Sun's
Kerberos 5 implementation for authentication. We have been using OpenSSH
3.4p1 with OpenSSL 0.9.6f and everything has been working fine.

We are updating our OpenSSH and OpenSSL versions to 3.7.1p2 and 0.9.7c,
respectively.

Everything works fine except for having a Kerberos users' password
expired, either through modprinc +needchange user or through an
expiration date that has already passed.

When I connect to the 3.7.1p2 system from a 3.4p1 system, I log in and
am prompted to change my Kerberos password (twice) and then allowed in.

When I connect to the 3.7.1p2 system from another 3.7.1p2 system, I log
in without being prompted to change my Kerberos password. The next time
I log in using a 3.4p1 system, I am then prompted.

When I connect to the 3.7.1p2 system from my Windows based workstation
using PuTTY (0.53b was needed because of the
ChallengeResponseAuthentication), I log in without being prompted to
change my Kerberos password.

When I connect to a 3.4p1 system from my Windows based workstation using
PuTTY (still using 0.53b), I log in and am prompted to change my
Kerberos password (twice) and then allowed in.

This leads me to a couple of conclusions:

1)	The problem is OpenSSH, not the new version of PuTTY.
2)	The problem did not exist in the older version of OpenSSH.

Therefore, I am submitting this e-mail in search of assistance from
anyone who has any solutions for me.

I am attaching my sshd_config file in line for troubleshooting purposes.
Please let me know if you need any more information or have any ideas
for me.

Thanks,
-Timothy P. Knox


#AFSTokenPassing				no
AllowGroups					*
AllowTcpForwarding			yes
AllowUsers					*
AuthorizedKeysFile			.ssh/authorized_keys
Banner					/etc/issue
ChallengeResponseAuthentication	yes
Ciphers
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-c
bc
ClientAliveInterval			0
ClientAliveCountMax			3
Compression					yes
#DenyGroups					*
#DenyUsers					*
GatewayPorts				no
HostbasedAuthentication			no
HostKey					/etc/ssh/ssh_host_rsa_key
IgnoreRhosts				yes
IgnoreUserKnownHosts			no
KeepAlive					yes
#KerberosAuthentication			no
#KerberosOrLocalPasswd			yes
#KerberosTgtPassing			no
#KerberosTicketCleanup			yes
KeyRegenerationInterval			3600
Port						22
ListenAddress				0.0.0.0
LoginGraceTime				300
LogLevel					INFO
MACs
hmac-md5,hmac-sha1,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
MaxStartups					10
#PAMAuthenticationViaKbdInt		no
PasswordAuthentication			no
PermitEmptyPasswords			no
PermitRootLogin				no
PidFile					/var/run/sshd.pid
PrintLastLog				yes
PrintMotd					no
Protocol					2
PubkeyAuthentication			yes
#RhostsAuthentication			no
RhostsRSAAuthentication			no
RSAAuthentication				no
ServerKeyBits				768
StrictModes					yes
Subsystem	sftp				/usr/libexec/sftp-server
SyslogFacility				AUTH
UseLogin					no
UsePAM					yes
UsePrivilegeSeparation			no
#VerifyReverseMapping			no
X11DisplayOffset				10
X11Forwarding				yes
X11UseLocalhost				yes
XAuthLocation				/usr/openwin/bin/xauth

"Knox, Timothy P - Eagan, MN" wrote:
> 
> I am running Solaris 8 with the Basic Security Module (BSM) loaded and
> Sun's Enterprise Authentication Mechanism (SEAM) installed. Our servers
> are using Sun One Directory Services (LDAP) for authorization and Sun's
> Kerberos 5 implementation for authentication. We have been using OpenSSH
> 3.4p1 with OpenSSL 0.9.6f and everything has been working fine.
> 
> We are updating our OpenSSH and OpenSSL versions to 3.7.1p2 and 0.9.7c,
> respectively.
> 
> Everything works fine except for having a Kerberos users' password
> expired, either through modprinc +needchange user or through an
> expiration date that has already passed.
Try the password expiration patch (pwexp26) here:
http://www.zip.com.au/~dtucker/openssh/

It should work in your configuration.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.