Red Hat Bugzilla – Bug 112820
Ssh refuses expired passwords
Last modified: 2007-11-30 17:06:59 EST
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.9) Gecko/20020311 Description of problem: When a user password has expired, ssh acts as if the password is wrong. Based on other similar reports, I have set UsePrivilegeSeparation to no, and that doesn't solve the issue. I can verify that it's the expiration by using chage to move the last changed day back and forth. Version-Release number of selected component (if applicable): openssh-3.6.1p2-18 How reproducible: Always Steps to Reproduce: 1. Expire user password 2. ssh user@host 3. Enter correct passwd Actual Results: After you enter the correct password, it repeatedly says "permission denied, please try again" like: test1@fiat's password: Permission denied, please try again. test1@fiat's password: Permission denied, please try again. test1@fiat's password: Permission denied (publickey,password,keyboard-interactive). and then returns to the shell prompt. Expected Results: Should expect to see the following (taken from a RedHat 7.3 box). test1@fediglib's password: You are required to change your password immediately (password aged) Warning: Your password has expired, please change it now Changing password for test1 (current) UNIX password: and then be able to change your password Additional info: Here are the relevant sshd entries in /var/log/message: Jan 2 14:56:25 fiat sshd[4765]: PAM rejected by account configuration[12]: Authentication token is no longer valid; new one required. Jan 2 14:56:25 fiat sshd[4765]: Failed password for test1 from xx.xx.xx.xx port 59798 ssh2 Jan 2 14:56:28 fiat sshd[4765]: PAM rejected by account configuration[12]: Authentication token is no longer valid; new one required. Jan 2 14:56:28 fiat sshd[4765]: Failed password for test1 from xx.xx.xx.xx port 59798 ssh2 Jan 2 14:56:31 fiat sshd[4765]: PAM rejected by account configuration[12]: Authentication token is no longer valid; new one required. Jan 2 14:56:31 fiat sshd[4765]: Failed password for test1 from xx.xx.xx.xx port 59798 ssh2
I managed to fix the problem, but it still seems like a rather important thing to fix. I can't imagine that we're the only RHEL 3 installation that expires passwords as a way to force users to change them. In the end, I downloaded the Multi-platform Password Expiry patch to openssh 3.6.1p2 from http://www.zip.com.au/~dtucker/openssh/, opened up the openssh source RPM and edited the spec file to patch it in during prep and then rebuilt it using rpmbuild and replacing the installed package with the new one. Note that this wasn't a simple or straightforward procedure since I'm not terribly familiar with editing src RPMs, but it did get the job done.
I've come across this issue as well, and was surprised to see it. Are there plans to release a patched version that will support expiry?
*** This bug has been marked as a duplicate of 124602 ***