[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: OpenSSH and PAM



Chip Christian wrote:
> 
> erbenson@alaska.net said:
> > scp does not create an interactive session, so it should be possible
> > for ssh to eschew password change enforcment for non-interactive
> > sessions.
> 
> > this would allow users to avoid it by logging in by ssh host /bin/bash
> > but if they are that stubborn they will find other ways to get out of
> > changing their password.
> 
> Sure, but it still ought to consume any grace logins the user has left, so
> once the password expires for good, all logins, passworded or not, should
> fail.

Moreover, I think that even scp (and any other non-interactive app) should
just refuse access if user's password should be changed.  (It must if it is
expired, as Chip Christian said.)  "Hey, change your password firts using
some interactive way, and retry afterwards".  Actually, scp _is_ (partially)
interactive.





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []