Chip Christian wrote: > > erbenson@alaska.net said: > > scp does not create an interactive session, so it should be possible > > for ssh to eschew password change enforcment for non-interactive > > sessions. > > > this would allow users to avoid it by logging in by ssh host /bin/bash > > but if they are that stubborn they will find other ways to get out of > > changing their password. > > Sure, but it still ought to consume any grace logins the user has left, so > once the password expires for good, all logins, passworded or not, should > fail. Moreover, I think that even scp (and any other non-interactive app) should just refuse access if user's password should be changed. (It must if it is expired, as Chip Christian said.) "Hey, change your password firts using some interactive way, and retry afterwards". Actually, scp _is_ (partially) interactive.
