Bug 112820 - Ssh refuses expired passwords
Ssh refuses expired passwords
Status: CLOSED DUPLICATE of bug 124602
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: openssh (Show other bugs)
3.0
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-01-02 15:58 EST by Need Real Name
Modified: 2007-11-30 17:06 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-02-07 09:35:10 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Need Real Name 2004-01-02 15:58:32 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.9)
Gecko/20020311

Description of problem:
When a user password has expired, ssh acts as if the password is
wrong.  Based on other similar reports, I have set
UsePrivilegeSeparation to no, and that doesn't solve the issue.  I can
verify that it's the expiration by using chage to move the last
changed day back and forth.

Version-Release number of selected component (if applicable):
openssh-3.6.1p2-18

How reproducible:
Always

Steps to Reproduce:
1. Expire user password
2. ssh user@host
3. Enter correct passwd
    

Actual Results:  After you enter the correct password, it repeatedly
says "permission denied, please try again" like:

test1@fiat's password: 
Permission denied, please try again.
test1@fiat's password: 
Permission denied, please try again.
test1@fiat's password: 
Permission denied (publickey,password,keyboard-interactive).
and then returns to the shell prompt.

Expected Results:  Should expect to see the following (taken from a
RedHat 7.3 box).

test1@fediglib's password: 
You are required to change your password immediately (password aged)
Warning: Your password has expired, please change it now
Changing password for test1
(current) UNIX password: 

and then be able to change your password

Additional info:

Here are the relevant sshd entries in /var/log/message:

Jan  2 14:56:25 fiat sshd[4765]: PAM rejected by account
configuration[12]: Authentication token is no longer valid; new one
required.
Jan  2 14:56:25 fiat sshd[4765]: Failed password for test1 from
xx.xx.xx.xx port 59798 ssh2
Jan  2 14:56:28 fiat sshd[4765]: PAM rejected by account
configuration[12]: Authentication token is no longer valid; new one
required.
Jan  2 14:56:28 fiat sshd[4765]: Failed password for test1 from
xx.xx.xx.xx port 59798 ssh2
Jan  2 14:56:31 fiat sshd[4765]: PAM rejected by account
configuration[12]: Authentication token is no longer valid; new one
required.
Jan  2 14:56:31 fiat sshd[4765]: Failed password for test1 from
xx.xx.xx.xx port 59798 ssh2
Comment 1 Need Real Name 2004-01-12 18:56:20 EST
I managed to fix the problem, but it still seems like a rather
important thing to fix.  I can't imagine that we're the only RHEL 3
installation that expires passwords as a way to force users to change
them.

In the end, I downloaded the Multi-platform Password Expiry patch to
openssh 3.6.1p2 from http://www.zip.com.au/~dtucker/openssh/, opened
up the openssh source RPM and edited the spec file to patch it in
during prep and then rebuilt it using rpmbuild and replacing the
installed package with the new one.  Note that this wasn't a simple or
straightforward procedure since I'm not terribly familiar with editing
src RPMs, but it did get the job done.
Comment 2 Todd Warfield 2004-03-05 15:27:59 EST
I've come across this issue as well, and was surprised to see it. Are 
there plans to release a patched version that will support expiry?
Comment 3 Tomas Mraz 2005-02-07 09:35:10 EST

*** This bug has been marked as a duplicate of 124602 ***

Note You need to log in before you can comment on or make changes to this bug.