Mordechai T. Abzug wrote:> First off, thanks for the --with-pam fix that lets users with expired
> passwords change their passwords. It's wonderful, and has finally
> allowed us to migrate to openssh after a couple of years.
>
> Problem: after openssh allows a user with an expired password to log
> in, said user does not have any X11 and agent forwardings that have
> been set up. This can be a support issue for naive users who don't
> understand why they can't run X programs.
What version are you using? The keyboard-interactive code in OpenSSH
-current should work (I just tested it and it seems to work). The
non-keyboard-interactive methods (ie chauthtok-in-session and
passwd-in-session methods) can't easily reset the forwarding flags
because they're in a different process.
$ ssh -p 2022 localhost -o PreferredAuthentications=keyboard-interactive
-X -l testuser
Password:
You are required to change your password immediately (password aged)
Changing password for testuser
(current) UNIX password:
New password:
Retype new password:
[snip]
Running /usr/X11R6/bin/xauth remove unix:16.0
/usr/X11R6/bin/xauth add unix:16.0 MIT-MAGIC-COOKIE-1
52a22d2e5578416b49f86370126fb21d
debug1: Received SIGCHLD.
[testuser at gate testuser]$ echo $DISPLAY
localhost:16.0
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.