On Fri, Oct 17, 2008 at 11:35:35AM +1100, Darren Tucker wrote:
> You could disable PasswordAuthentication and require Protocol 2 with
> keyboard-interactive authentication, which will probably work since it
> does both authentication and password change through the same
> conversation function).

That seemed to work just fine;
< PasswordAuthentication yes
> PasswordAuthentication no

< ChallengeResponseAuthentication no
> ChallengeResponseAuthentication yes

And now...
$ ssh fred@localhost
You are required to change your password immediately (password aged)
Changing password for fred
(current) UNIX password:
New UNIX password:
Retype new UNIX password:
Last login: Fri Oct 17 15:15:18 2008 from localhost.localdomain

> It would be possible to hack around in sshd, however I don't think it's
> worth the effort since it's demonstrably a (since fixed) LinuxPAM bug.

And the ChallengeResponseAuthentication acts as a sufficient workaround
for the older systems.

Thank you very much!


openssh-unix-dev mailing list