Bug 112820

Summary: Ssh refuses expired passwords
Product: Red Hat Enterprise Linux 3 Reporter: Need Real Name <shanew>
Component: opensshAssignee: Tomas Mraz <tmraz>
Status: CLOSED DUPLICATE QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.0CC: todd.warfield
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-02-07 14:35:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Need Real Name 2004-01-02 20:58:32 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.9)
Gecko/20020311

Description of problem:
When a user password has expired, ssh acts as if the password is
wrong.  Based on other similar reports, I have set
UsePrivilegeSeparation to no, and that doesn't solve the issue.  I can
verify that it's the expiration by using chage to move the last
changed day back and forth.

Version-Release number of selected component (if applicable):
openssh-3.6.1p2-18

How reproducible:
Always

Steps to Reproduce:
1. Expire user password
2. ssh user@host
3. Enter correct passwd
    

Actual Results:  After you enter the correct password, it repeatedly
says "permission denied, please try again" like:

test1@fiat's password: 
Permission denied, please try again.
test1@fiat's password: 
Permission denied, please try again.
test1@fiat's password: 
Permission denied (publickey,password,keyboard-interactive).
and then returns to the shell prompt.

Expected Results:  Should expect to see the following (taken from a
RedHat 7.3 box).

test1@fediglib's password: 
You are required to change your password immediately (password aged)
Warning: Your password has expired, please change it now
Changing password for test1
(current) UNIX password: 

and then be able to change your password

Additional info:

Here are the relevant sshd entries in /var/log/message:

Jan  2 14:56:25 fiat sshd[4765]: PAM rejected by account
configuration[12]: Authentication token is no longer valid; new one
required.
Jan  2 14:56:25 fiat sshd[4765]: Failed password for test1 from
xx.xx.xx.xx port 59798 ssh2
Jan  2 14:56:28 fiat sshd[4765]: PAM rejected by account
configuration[12]: Authentication token is no longer valid; new one
required.
Jan  2 14:56:28 fiat sshd[4765]: Failed password for test1 from
xx.xx.xx.xx port 59798 ssh2
Jan  2 14:56:31 fiat sshd[4765]: PAM rejected by account
configuration[12]: Authentication token is no longer valid; new one
required.
Jan  2 14:56:31 fiat sshd[4765]: Failed password for test1 from
xx.xx.xx.xx port 59798 ssh2

Comment 1 Need Real Name 2004-01-12 23:56:20 UTC
I managed to fix the problem, but it still seems like a rather
important thing to fix.  I can't imagine that we're the only RHEL 3
installation that expires passwords as a way to force users to change
them.

In the end, I downloaded the Multi-platform Password Expiry patch to
openssh 3.6.1p2 from http://www.zip.com.au/~dtucker/openssh/, opened
up the openssh source RPM and edited the spec file to patch it in
during prep and then rebuilt it using rpmbuild and replacing the
installed package with the new one.  Note that this wasn't a simple or
straightforward procedure since I'm not terribly familiar with editing
src RPMs, but it did get the job done.

Comment 2 Todd Warfield 2004-03-05 20:27:59 UTC
I've come across this issue as well, and was surprised to see it. Are 
there plans to release a patched version that will support expiry?

Comment 3 Tomas Mraz 2005-02-07 14:35:10 UTC

*** This bug has been marked as a duplicate of 124602 ***