--=-AmU2iuvFT8S4xysOY3+A
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
I've had a problem for over a month now with password expiry and cleared
password functions not working correctly on a Solaris 7 box specific to
openssh and PAM. I compiled openssh with pam functionality in hopes of
supporting both expiry and cleared passwords. This was not a problem
until recently as we switched all clients from telnet to ssh. Here are
my sshd entries in /etc/pam.conf:
$ fgrep sshd /etc/pam.conf=20
sshd auth required /usr/lib/security/pam_unix.so.1
sshd account required /usr/lib/security/pam_unix.so.1
sshd session required /usr/lib/security/pam_unix.so.1
sshd password required /usr/lib/security/pam_unix.so.1
Cleared passwords prompt for a password and exit after 3 failed
attempts. Expiring a passwd -- $ passwd -f <userid> -- prompts for the
old password, then asks for the new password and fails:
$ ssh user@foo
user@foo's password:=20
Warning: Your password has expired, please change it now
Enter login password:=20
sshd(SYSTEM): Sorry, wrong passwd
Connection to foo closed by remote host.
Connection to foo closed.
If I set "PAMAuthenticationViaKbdInt" to "yes" in my sshd_config, then I
receive the following messages:
$ ssh user@foo
Password:=20
Warning: Your password has expired, please change it now
Enter login password:=20
sshd(SYSTEM): Sorry, wrong passwd
removing root credentials would break the rpc services that
use secure rpc on this host!
root may use keylogout -f to do this (at your own risk)!
Connection to foo closed by remote host.
Connection to foo closed.
I receive the following message in my logs in relation to attempts at
changing expired passwords:
Jul 10 10:48:12 foo sshd[27005]: [ID 800047 auth.crit] fatal: PAM
pam_chauthtok failed[7]: Permission denied
Jul 10 10:48:49 foo sshd[26997]: [ID 800047 auth.crit] fatal: PAM
pam_chauthtok failed[20]: Authentication token manipulation error
Jul 10 10:48:53 foo sshd[27011]: [ID 800047 auth.crit] fatal: PAM
pam_chauthtok failed[-1]: Unknown error
Jul 10 10:53:16 foo sshd[27102]: [ID 800047 auth.crit] fatal: PAM
pam_chauthtok failed[7]: Permission denied
=20
I am running OpenSSH 3.1p1. I did read that the new version of ssh will
break PAM if "UsePrivilegeSeparation" is set to "yes" in the
sshd_config, but I don't think that is relevant to the version I am
running. Are there other pam modules that work with the Sun
implementation of PAM that may solve my problems?
Thanks for any input.
--=20
Matt Miller
Systems Administrator
MP TotalCare
gpg public key id:=20
08BC7B06
--=-AmU2iuvFT8S4xysOY3+A
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQA9LE6WIomZUAi8ewYRAlaTAKCzzQEqJbzwv5Xc1W9kIDnjPjyROwCghz2a
obxAJPCXUONxBpKK24scRYw=
=Ju6G
-----END PGP SIGNATURE-----
--=-AmU2iuvFT8S4xysOY3+A--
