I wanted to follow up on this because I did find the fix and it was (of course) on the server side. In the sshd_config, (on my system, it's in /usr/local/etc), there is now an option to UsePAM. By default, this is turned off. It needs set to yes and all was fine in the world for me. Keyboard-interactive was needed for changing the password, so that bit of information was useful, thanks. WS_FTP Pro was unable to accommodate password changing, however. I contacted the company and was told it was a matter of how the expiration was handled. They were doing it "correctly" and expiring the password at one moment, where the Unix system was expiring at a different moment. Either way, it doesn't work for my situation. If there is anyone around that has specific experience with WS_FTP Pro, OpenSSH, and changing expired passwords, I'd love to hear from you and how you handled it. I have users that would really really like to stick with WS_FTP, but without this level of functionality, I can't recommend it. Thanks, Russ Oliver -----Original Message----- From: Bob Rasmussen [mailto:info@xxxxxxx] Sent: Thursday, January 31, 2008 10:24 AM To: Russell Millard Oliver Cc: secureshell@xxxxxxxxxxxxxxxxx; secureshell-return-9729@xxxxxxxxxxxxxxxxx Subject: Re: Expired password unchangeable with SFTP clients On Thu, 31 Jan 2008, Russell Millard Oliver wrote: > I am running Solaris 9, OpenSSH 4.7p1 > I am trying to configure SFTP-only users that will not have shell > access. As referenced in various places, I simply create a user whose > shell is /usr/local/libexec/sftp-server. > > This works great for our use and I was just about to take it from > development to production when I started building accounts and expiring > the password. When I try to log on with various different SFTP clients > (putty's sftp client, ssh.com's free client, WinSCP, and even WS_FTP > Pro), if the password is expired, I get authentication failure. Using > Sun's SSH server, this works fine, but we're moving to OpenSSH. > > Is there a configuration I don't know about that would allow me to be > able to change an expired password? Any other suggestions? Are you allowing keyboard-interactive authentication? In some systems (at least) that I have worked with, the sshd deals with an expired password by using the keyboard-interactive mechanism to prompt the user for the old and then the new password. I don't know whether PuTTY, etc., handle this in their SFTP clients. But this might be a clue for you. Regards, ....Bob Rasmussen, President, Rasmussen Software, Inc. personal e-mail: ras@xxxxxxxxx company e-mail: rsi@xxxxxxxxx voice: (US) 503-624-0360 (9:00-6:00 Pacific Time) fax: (US) 503-624-0760 web: http://www.anzio.com
