[ Sorry for the length of this; I felt it better to provide potentially
too much info, rather than not enough. I've probably missed something
that's important, though! ]

I have an odd problem with 5.1p on RHEL3 if "UsePAM yes" and
"UsePrivilegeSeparation no" is set. The code detects that the user
password is aged (according to shadow) but then fails to let me change
the password:

% ssh -p 2222 fred@localhost
fred@localhost's password:
You are required to change your password immediately (password aged)
Last login: Thu Oct 16 14:28:14 2008 from localhost.localdomain
Connection to localhost closed.

If I run the server in -ddd mode,
% ssh fred@localhost -p 2222
fred@localhost's password:
You are required to change your password immediately (password aged)
Last login: Thu Oct 16 14:56:04 2008 from localhost.localdomain
debug1: PAM: changing password
PAM: pam_chauthtok(): Authentication token manipulation error
debug1: do_cleanup
Connection to localhost closed.

On the server side, I see

Failed publickey for fred from port 32786 ssh2
debug1: userauth-request for user fred service ssh-connection method password
debug1: attempt 3 failures 2
debug2: input_userauth_request: try method password
debug3: PAM: sshpam_passwd_conv called with 1 messages
debug1: PAM: password authentication accepted for fred
debug1: do_pam_account: called
debug3: PAM: sshpam_passwd_conv called with 1 messages
debug3: PAM: do_pam_account pam_acct_mgmt = 12 (Authentication token is no longer valid; new one required.)
debug3: sshpam_password_change_required 1
Accepted password for fred from port 32786 ssh2
debug1: PAM: establishing credentials
debug3: PAM: opening session
debug1: Entering interactive session for SSH2.
debug2: fd 4 setting O_NONBLOCK
debug2: fd 5 setting O_NONBLOCK
debug1: server_init_dispatch_20
debug1: server_input_channel_open: ctype session rchan 0 win 1048576 max 16384
debug1: input_session_request
debug1: channel 0: new [server-session]
debug2: session_new: allocate (allocated 0 max 10)
debug3: session_unused: session id 0 unused
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug1: server_input_global_request: rtype no-more-sessions@openssh.com want_reply 0
debug1: server_input_channel_req: channel 0 request pty-req reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req pty-req
debug1: Allocating pty.
debug1: session_pty_req: session 0 alloc /dev/pts/2
debug3: tty_parse_modes: SSH2 n_bytes 256
debug3: tty_parse_modes: ospeed 38400
debug3: tty_parse_modes: ispeed 38400
debug1: server_input_channel_req: channel 0 request shell reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req shell
debug1: Setting controlling tty using TIOCSCTTY.
debug2: fd 3 setting TCP_NODELAY
debug2: channel 0: rfd 8 isatty
debug2: fd 8 setting O_NONBLOCK
debug3: fd 6 is O_NONBLOCK
debug1: Received SIGCHLD.
debug1: session_by_pid: pid 6942
debug1: session_exit_message: session 0 channel 0 pid 6942
debug2: channel 0: request exit-status confirm 0
debug1: session_exit_message: release channel 0

[channel closing debug messages]

debug1: channel 0: free: server-session, nchannels 1
debug3: channel 0: status: The following connections are open:
#0 server-session (t4 r0 i3/0 o3/0 fd -1/-1 cfd -1)

debug3: channel 0: close_fds r -1 w -1 e -1 c -1
Connection closed by
debug1: do_cleanup
debug1: PAM: cleanup
debug1: PAM: deleting credentials
debug1: PAM: closing session
debug3: PAM: sshpam_thread_cleanup entering
Transferred: sent 2240, received 2512 bytes
Closing connection to port 32786

If I do "UsePAM no" _or_ "UsePrivilegeSeparation yes" then the password
change process works...
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user fred.
Changing password for fred
(current) UNIX password:
New UNIX password:
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
Connection to localhost closed.

(that logout and login again process is annoying)

The error message received looks very similar to a problem Darren had
with LinuxPAM back in 2004 about setting the conversation, but I can't
find if this was ever resolved

Of course the RedHat provided OpenSSH3.6 package (with their gazillion
patches) works just fine; allows the password to be changed and doesn't
force a logout/login again.

Any ideas? I'm trying to standardise on a single version of OpenSSH over
all my platforms (Solaris 8,9,10, RHEL 2.1,3,4) and people are looking
at me pretty funny when my replacement package can't perform as well as
the OS provided one! (Of course it works fine on RHEL2.1, RHEL4 and
Solaris, but we have a large RHEL3 footprint)

sshd_config contents...

#Port 22
#Protocol 2,1
#AddressFamily any
#ListenAddress ::
#HostKey /etc/myssh/ssh/ssh_host_key
#HostKey /etc/myssh/ssh/ssh_host_rsa_key
#HostKey /etc/myssh/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768
# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
LoginGraceTime 1m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile /etc/myssh/ssh/auth_keys/%u
#RhostsRSAAuthentication no
#HostbasedAuthentication no
#IgnoreUserKnownHosts no
#IgnoreRhosts yes
PasswordAuthentication yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
UsePAM yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation no
#PermitUserEnvironment no
Compression yes
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
# no default banner path
# Banner /etc/issue
# override default of no subsystems
Subsystem sftp /opt/myssh/libexec/sftp-server

RedHat Enterprise Linux 3
Linux 2.4.21-47.0.1.EL
OpenSSH_5.1p1, OpenSSL 0.9.7k 05 Sep 2006

Thanks for your time!


openssh-unix-dev mailing list