On Fri, Oct 17, 2008 at 11:35:35AM +1100, Darren Tucker wrote:
> You could disable PasswordAuthentication and require Protocol 2 with
> keyboard-interactive authentication, which will probably work since it
> does both authentication and password change through the same
> conversation function).


That seemed to work just fine;
< PasswordAuthentication yes
---
> PasswordAuthentication no

62c62
< ChallengeResponseAuthentication no
---
> ChallengeResponseAuthentication yes


And now...
$ ssh fred@localhost
Password:
You are required to change your password immediately (password aged)
Changing password for fred
(current) UNIX password:
New UNIX password:
Retype new UNIX password:
Last login: Fri Oct 17 15:15:18 2008 from localhost.localdomain

> It would be possible to hack around in sshd, however I don't think it's
> worth the effort since it's demonstrably a (since fixed) LinuxPAM bug.


And the ChallengeResponseAuthentication acts as a sufficient workaround
for the older systems.

Thank you very much!

--

rgds
Stephen
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/li...enssh-unix-dev