On Tue, Jun 19, 2018 at 02:13:56AM +0200, Jochen Bern wrote: > Enter a corporate password policy that requires passwords to be complex, > different everywhere, and of limited lifetime. It helpfully suggests the > use of password safes, but doesn't allow the lifetime to be extended by > making the password *really* complex. A sufficiently advanced password vault (e.g. CyberArk EPV) will allow a user to request the current password and then will reset the password some time later (eg 24 hours)... and can ensure passwords are reset every 80 days (or whatever) so they don't expire. There's a number of products on the market that can do this. In the worst case they ssh into the account with the old password, run the "passwd" command and set a new one. In a good case they have access to a privileged account (eg one with "sudo passwd") so they can reset the password even if the old one doesn't work. In this way the password is only known for a short period of time. > Hence my question: Are there ideas/plans/projects to have an OpenSSH > connection provide a communication channel between password safe(*) and > the remote password-changing mechanisms, similar to how Authentication > Agent Forwarding mediates communication between a local ssh-agent and > remote ssh/scp/sftp/... clients? Would there be suitable pre-existing > protocols to communicate stuff like "password change needed yes/no", > "new password failed, please retry" etc. etc. between the end points? If you go down this route then it sounds like a a PAM password change module that can push the new password into the vault might be a better option, so if the "passwd" command is run then it'll also push it. I don't think sshd is the right place for this. -- rgds Stephen _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev