[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
Re: SSH and expired passwords
- From: Ken Snider <ken snider datawire net>
- To: "Discussion of Red Hat Enterprise Linux 3 (Taroon)" <taroon-list redhat com>
- Subject: Re: SSH and expired passwords
- Date: Wed, 06 Apr 2005 18:05:21 -0400
Chris Kloiber wrote:
> On Wed, 2005-04-06 at 15:23 -0400, Ken Snider wrote:
>
>>Jurvis LaSalle wrote:
>>
>>>A users password expired while on vacation. When trying to ssh into the
>>>server (running RHEL3-U4), he was greeted with this message:
>>>
>>>You are required to change your password immediately (password aged)
>>>Your password has expired, the session cannot proceed.
>>>Connection to server.bard.edu closed.
>>>
>>>What do I need to enable in sshd_config so that he's prompted to change
>>>the expired password rather than just kicking him. I'd like to keep
>>>X11Forwarding and UsePrivilegeSeparation enabled if I can.
>>
>>You have to disable Privilege Separation, so that the sshd can maintain root
>>privileges (and access to /etc/shadow).
>
>
> FYI- There is an open bug on this with test packages to try and resolve
> this.
>
> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=124602
>
Well then, I'd better chime in with my interactions from a year ago on this.
The *original* patches to openSSH which enabled this feature took place
*before* separation. The final patches that were applied, took place *after*
separation. Darren Tucker's patches, which were *perfect* from a linux POV,
were bascially stripped down and added to the mainline openssh 3.8+, and
have this issue.
If you *really* want to fix the problem, you can try and use Darren's
patches, details here:
http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=107650523726292
and his patches here:
http://www.zip.com.au/~dtucker/openssh/
--
Ken Snider
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]