On Thu, 31 Jan 2008, Russell Millard Oliver wrote:

> I am running Solaris 9, OpenSSH 4.7p1
> I am trying to configure SFTP-only users that will not have shell
> access. As referenced in various places, I simply create a user whose
> shell is /usr/local/libexec/sftp-server.
>
> This works great for our use and I was just about to take it from
> development to production when I started building accounts and expiring
> the password. When I try to log on with various different SFTP clients
> (putty's sftp client, ssh.com's free client, WinSCP, and even WS_FTP
> Pro), if the password is expired, I get authentication failure. Using
> Sun's SSH server, this works fine, but we're moving to OpenSSH.
>
> Is there a configuration I don't know about that would allow me to be
> able to change an expired password? Any other suggestions?


Are you allowing keyboard-interactive authentication? In some systems (at
least) that I have worked with, the sshd deals with an expired password
by using the keyboard-interactive mechanism to prompt the user for the old
and then the new password. I don't know whether PuTTY, etc., handle this
in their SFTP clients. But this might be a clue for you.

Regards,
.....Bob Rasmussen, President, Rasmussen Software, Inc.

personal e-mail: ras@anzio.com
company e-mail: rsi@anzio.com
voice: (US) 503-624-0360 (9:00-6:00 Pacific Time)
fax: (US) 503-624-0760
web: http://www.anzio.com