112820 – Ssh refuses expired passwords

Bug 112820 - Ssh refuses expired passwords

Summary: Ssh refuses expired passwords

Keywords:
Status:	CLOSED DUPLICATE of bug 124602
Alias:	None
Product:	Red Hat Enterprise Linux 3
Classification:	Red Hat
Component:	openssh
Sub Component:
Version:	3.0
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Tomas Mraz
QA Contact:	Brian Brock
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2004-01-02 20:58 UTC by Need Real Name
Modified:	2007-11-30 22:06 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2005-02-07 14:35:10 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Need Real Name 2004-01-02 20:58:32 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.9)
Gecko/20020311

Description of problem:
When a user password has expired, ssh acts as if the password is
wrong.  Based on other similar reports, I have set
UsePrivilegeSeparation to no, and that doesn't solve the issue.  I can
verify that it's the expiration by using chage to move the last
changed day back and forth.

Version-Release number of selected component (if applicable):
openssh-3.6.1p2-18

How reproducible:
Always

Steps to Reproduce:
1. Expire user password
2. ssh user@host
3. Enter correct passwd
    

Actual Results:  After you enter the correct password, it repeatedly
says "permission denied, please try again" like:

test1@fiat's password: 
Permission denied, please try again.
test1@fiat's password: 
Permission denied, please try again.
test1@fiat's password: 
Permission denied (publickey,password,keyboard-interactive).
and then returns to the shell prompt.

Expected Results:  Should expect to see the following (taken from a
RedHat 7.3 box).

test1@fediglib's password: 
You are required to change your password immediately (password aged)
Warning: Your password has expired, please change it now
Changing password for test1
(current) UNIX password: 

and then be able to change your password

Additional info:

Here are the relevant sshd entries in /var/log/message:

Jan  2 14:56:25 fiat sshd[4765]: PAM rejected by account
configuration[12]: Authentication token is no longer valid; new one
required.
Jan  2 14:56:25 fiat sshd[4765]: Failed password for test1 from
xx.xx.xx.xx port 59798 ssh2
Jan  2 14:56:28 fiat sshd[4765]: PAM rejected by account
configuration[12]: Authentication token is no longer valid; new one
required.
Jan  2 14:56:28 fiat sshd[4765]: Failed password for test1 from
xx.xx.xx.xx port 59798 ssh2
Jan  2 14:56:31 fiat sshd[4765]: PAM rejected by account
configuration[12]: Authentication token is no longer valid; new one
required.
Jan  2 14:56:31 fiat sshd[4765]: Failed password for test1 from
xx.xx.xx.xx port 59798 ssh2

Comment 1 Need Real Name 2004-01-12 23:56:20 UTC

I managed to fix the problem, but it still seems like a rather
important thing to fix.  I can't imagine that we're the only RHEL 3
installation that expires passwords as a way to force users to change
them.

In the end, I downloaded the Multi-platform Password Expiry patch to
openssh 3.6.1p2 from http://www.zip.com.au/~dtucker/openssh/, opened
up the openssh source RPM and edited the spec file to patch it in
during prep and then rebuilt it using rpmbuild and replacing the
installed package with the new one.  Note that this wasn't a simple or
straightforward procedure since I'm not terribly familiar with editing
src RPMs, but it did get the job done.

Comment 2 Todd Warfield 2004-03-05 20:27:59 UTC

I've come across this issue as well, and was surprised to see it. Are 
there plans to release a patched version that will support expiry?

Comment 3 Tomas Mraz 2005-02-07 14:35:10 UTC


*** This bug has been marked as a duplicate of 124602 ***

Note You need to log in before you can comment on or make changes to this bug.