Description of problem: Connections of users w/ expired accounts are closed at once. /var/log/secure shows: PAM rejected by account configuration[12]: Authentication token is no longer valid; n ew one required. Version-Release number of selected component (if applicable): openssh-server-3.5p1-6 How reproducible: Always Steps to Reproduce: 1. chage -d 2003-03-01 -M 80 <user> 2. ssh <user>@<host> Actual results: User is kicked out Expected results: User is prompted for new password Additional info: This is documented as a known problem: http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&th=75c1a9b5515f0483&seekm=Xns939968933343Cchrispagannet%40206.124.0.13&frame=off http://www.zip.com.au/~dtucker/openssh/
I've had this exact same problem, and it's highly annoying for my users, some of whom only log in once every few months.
Created attachment 94530 [details] patch to enable pasword expiration/updating with Privilege Separation turned off This patch allows password expiration/updates to work properly as long as UsePrivilegeSeparation is set to no is /etc/ssh/sshd_config. For some reason the code which handles password changes was #if0-ed out in sshd, but it appears to have no effect on system operation is separation is turned on.
This seems to affect Red Hat Enterprise Linux 3 too. Any chance to see a fix (at least for RHEL)?
Any news regarding this? At least a user "&npsb; " has closed our service request.... (#273211) We're really suffering from this, since you have to ask a colleauge to reset your password if it expires (which is no fun at, say, 3 a.m. on a Sunday....) Nick (Gunnar) Bluth
Any chances to see a fix soon?
It's ridiculous! Our service request (open since Nov. has been closed _again_, but this time, I can't reopen it (!). This request is from Nov 20., 2003, there are patches to fix the problem, and it affects the EL 3 line. With this "feature", RHEL is not really "enterprise ready", so why don't we see any motion in this?!? It would be nice to at least see this bug changing from "NEW" to something more motivating (e.g. "ERRATA" ;-)..... Giuseppe, I hope "contract" is a higher priority...? We really do suffer from this! Nick (Gunnar) Bluth Dresdner Kleinwort Wassestein Dresdner Bank AG Allianz Group
I have not seen this problem in SuSE EL 8, perhaps SuSE is ready for the enterprise and Redhat is not? I am currently having this problem in my environment with my RHEL 3 systems and it is rather unacceptable. We are an ssh only shop that sets passwords and then likes to use the force on next login option. (good security measure, but can't be implemented as long as this problem exists.)
As I see, this is still "NEW", 'though #83585 says there is a fix "in sight"... that was 2004-03-04, also more than a month ago... Looking at the first entry shows: Opened by Nick (Gunnar) Bluth (bluth) on 2003-07-01 05:01 !!!!!!!!!!!!!!!!! I mean, this is no longer funny, is it? We had to manually un-age 12 developers on 24 boxes. This probably took us more time than applying the patch and releasing an Erratum would have taken at RH....
https://rhn.redhat.com/errata/RHBA-2004-114.html