similar to: [Bug 256] New: Expired password unchangeable again with pam support

http://bugzilla.mindrot.org/show_bug.cgi?id=256 stevesk at pobox.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |DUPLICATE ------- Additional Comments From stevesk at pobox.com 2002-07-18

Currently, OpenSSH prints the message: "Warning: You password has expired, please change it now" if the password has expired. It would be nice if the user could/had to change password before continuing, like with Linux console login. I've tried to make an patch, but it doesn't work. Ideas? --- auth-pam.c.org Wed Oct 11 18:03:43 2000 +++ auth-pam.c Wed Oct 11 18:03:44

Hi there, is there any reason why the code for supporting expired PAM accounts in auth-pam.c:do_pam_account is commented out? Ie. it is not possible to log in to an expired account. When you enable this, the login procedure asks for a new password - all of this seems to work fine. This was enabled in version 3.1 or so, but now? Thanks Stephan -- Stephan M?ller

http://cvs-mirror.mozilla.org/webtools/bugzilla/show_bug.cgi?id=381 Summary: unable to access expired accounts using PAM with openssh-3.4P1 Product: Portable OpenSSH Version: -current Platform: UltraSparc OS/Version: Solaris Status: NEW Severity: major Priority: P2 Component: sshd

Ok, so, things are complicated. The PAM standard insists on password aging being done after account authorization, which comes after user authentication. Kerberos can't authenticate users whose passwords are expired. So PAM_KRB5 implementations tend to return PAM_SUCCESS from pam_krb5:pam_sm_authenticate() and arrange for pam_krb5:pam_sm_acct_mgmt() to return PAM_NEW_AUTHTOK_REQD, as

http://bugzilla.mindrot.org/show_bug.cgi?id=129 Summary: PAM with ssh authentication fails treat PAM_NEW_AUTHTOK_REQD properly Product: Portable OpenSSH Version: 3.0.2p1 Platform: UltraSparc OS/Version: Solaris Status: NEW Severity: normal Priority: P2 Component: sshd

This is an attempt to simplify the AIX expiry-via-passwd stuff and make it more generic. (There's actually a net reduction in #ifdefs). Patch against CVS: 1) configure finds passwd. 2) sshd uses passwd during session if required. 3) sshd uses passwd for PAM change if privsep disabled. 4) sshd uses Buffers for expire and post-login messages (no longer AIX specific). 5) password_change_required

http://bugzilla.mindrot.org/show_bug.cgi?id=188 stevesk at pobox.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |smueller at atsec.com ------- Additional Comments From stevesk at pobox.com 2002-07-18 15:46 ------- *** Bug 256 has been marked as a

I am facing the following situation on my Linux: - i have my own user database for the users who log in via a web interface - privileged users are allowed to log on to the device via ssh (pam is in use) - these users are redirected (via nss module) to a linux user who cannot log in directly to the system so far this is working fine. But now I also want the user to change the password if it has

I'm trying to configure my Solaris 9 pam.conf for CDE login/password expiration using ADS security on W2003. If my AD account password is in good standing, my config works great in /etc/pam.conf. However - I'm having trouble getting it to recognize that my password in AD has expired to ask me to reset it on the CDE screen. With the config below - it just tells me "login

Hello in the new Openssh 3.5p1 is the sam Bug as in the 3.4p1 :-( When a User try to login with a expired Passwort, SSH denys the Acces to the System fbeckman at zvadmxz:/home/fbeckman # ssh -v fbeckman at xy OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090605f debug1: Reading configuration data /etc/ssh_config debug1: Rhosts Authentication disabled, originating port will not be trusted.

All, The SAMBA version 3.0.21b expired password pam_winbind.so section perhaps might still have an issue. It seems to just be in some kind of loop and never completes the section in pam_winbind.c of pam_sm_chauthtok. See ssh (Solaris 4.2.p1 ssh) sequence below: ssh hermione Password: Changing password for leeraym (current) NT password: Re-enter new Password: Password: Password:

Hi All. Attached is another patch that attempts to do pam_chauthtok() via SSH2 keyboard-interactive authentication. It now passes the results from the authentication thread back to the monitor (based on a suggestion from djm). Because of this, it doesn't call do_pam_account twice and consequently now works on AIX 5.2, which the previous version didn't. I haven't tested it on any

Hi All. This patch calls pam_chauthtok() to change an expired password via PAM during keyboard-interactive authentication (SSHv2 only). It is tested on Redhat 8 and Solaris 8. In theory, it should have simply been a matter of calling pam_chauthtok with the PAM_CHANGE_EXPIRED_AUTHTOK flag, it'd only change the password is if it's expired, right? From the Solaris pam_chauthtok man page:

Hi, I was doing some research on why new openssh-versions (3.4 and 3.5p1) doesnt ask you to change expired passwords (it just disconnects you) and found something curious. Line 259 of auth-pam.c has "#if 0" and then the code to set some vars (eg. password_change_required to true) followed by an "endif". Why is that? I'm not a C expert, but I think "if 0" is

First off, thanks for the --with-pam fix that lets users with expired passwords change their passwords. It's wonderful, and has finally allowed us to migrate to openssh after a couple of years. Problem: after openssh allows a user with an expired password to log in, said user does not have any X11 and agent forwardings that have been set up. This can be a support issue for naive users who

Hi All. Attached is a patch that implements password expiry with PAM and privsep. It works by passing a descriptor to the tty to the monitor, which sets up a child with that tty as stdin/stdout/stderr, then runs chauthtok(). No setuid helpers. I used some parts of Michael Steffens' patch (bugid #423) to make it work on HP-UX. It's still rough but it works. Tested on Solaris 8 and

http://bugzilla.mindrot.org/show_bug.cgi?id=14 dtucker at zip.com.au changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED ------- Additional Comments From dtucker at zip.com.au 2003-04-15 09:57 ------- Patch against 3.6.1p1 now available. No

bugzilla-daemon at mindrot.org wrote: >Summary: segfault if not using pam/keyboard-interactive mech and > password's expired I'm sorry to report that there is a bug in the PAM code in OpenSSH 3.8p1, and sorrier to say that I put it there. This is a NULL pointer dereference and is *not* considered to be a security vulnerability. When sshd is configured --with-pam, run with

Hello. I have a Debian Lenny Samba 3.2.5 server, with LDAP backend. On linux clients, I am using pam_winbind to change passwords, so both Samba and LDAP passwords are kept in sync. When cients are using Samba 3.2.5, everything works with no problems. But if clients have Samba 3.3.2, I get a warning "Your password has expired" everytime I try to change the password. The passwd command