Red Hat Bugzilla – Bug 98330
openssh server can not handle expired accounts.
Last modified: 2007-11-30 17:06:56 EST
Description of problem:
Connections of users w/ expired accounts are closed at once.
PAM rejected by account configuration: Authentication token is no longer valid;
ew one required.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. chage -d 2003-03-01 -M 80 <user>
2. ssh <user>@<host>
User is kicked out
User is prompted for new password
This is documented as a known problem:
I've had this exact same problem, and it's highly annoying for my users, some of
whom only log in once every few months.
Created attachment 94530 [details]
patch to enable pasword expiration/updating with Privilege Separation turned off
This patch allows password expiration/updates to work properly as long as
UsePrivilegeSeparation is set to no is /etc/ssh/sshd_config. For some reason
the code which handles password changes was #if0-ed out in sshd, but it appears
to have no effect on system operation is separation is turned on.
This seems to affect Red Hat Enterprise Linux 3 too. Any chance to see
a fix (at least for RHEL)?
Any news regarding this?
At least a user "&npsb; " has closed our service request....
We're really suffering from this, since you have to ask a colleauge
to reset your password if it expires (which is no fun at, say, 3 a.m.
on a Sunday....)
Nick (Gunnar) Bluth
Any chances to see a fix soon?
Our service request (open since Nov. has been closed _again_, but
this time, I can't reopen it (!).
This request is from Nov 20., 2003, there are patches to fix the
problem, and it affects the EL 3 line.
With this "feature", RHEL is not really "enterprise ready", so why
don't we see any motion in this?!?
It would be nice to at least see this bug changing from "NEW" to
something more motivating (e.g. "ERRATA" ;-).....
Giuseppe, I hope "contract" is a higher priority...?
We really do suffer from this!
Nick (Gunnar) Bluth
Dresdner Kleinwort Wassestein
Dresdner Bank AG
I have not seen this problem in SuSE EL 8, perhaps SuSE is ready for
the enterprise and Redhat is not? I am currently having this problem
in my environment with my RHEL 3 systems and it is rather
unacceptable. We are an ssh only shop that sets passwords and then
likes to use the force on next login option. (good security measure,
but can't be implemented as long as this problem exists.)
As I see, this is still "NEW", 'though #83585 says there is a fix "in
sight"... that was 2004-03-04, also more than a month ago...
Looking at the first entry shows:
Opened by Nick (Gunnar) Bluth (firstname.lastname@example.org) on
I mean, this is no longer funny, is it?
We had to manually un-age 12 developers on 24 boxes. This probably
took us more time than applying the patch and releasing an Erratum
would have taken at RH....