search for: needchange

...authentication. We have been using OpenSSH 3.4p1 with OpenSSL 0.9.6f and everything has been working fine. We are updating our OpenSSH and OpenSSL versions to 3.7.1p2 and 0.9.7c, respectively. Everything works fine except for having a Kerberos users' password expired, either through modprinc +needchange user or through an expiration date that has already passed. When I connect to the 3.7.1p2 system from a 3.4p1 system, I log in and am prompted to change my Kerberos password (twice) and then allowed in. When I connect to the 3.7.1p2 system from another 3.7.1p2 system, I log in without being promp...

openssh-unix-dev at mindrot.org kerberos at ncsa.uiuc.edu We believe there is a security flaw in either OpenSSH and/or RedHat's pam_krb5 module. When a Kerberos principal has the REQUIRES_PWCHANGE (+needchange) flag set, OpenSSH+pam_krb5 will still successfully authenticate the user. Local 'su' and 'login' fail in this case which leads us to believe it's at least partially a problem with OpenSSH's PAM code. We first noticed this flaw on SLES8 and verified the same problem on Red...