Kermit 95 NOT prompting for new password after expiration - Protocols

This is a discussion on Kermit 95 NOT prompting for new password after expiration - Protocols ; Hi: My company has started to implement hardened/expiring passwords on all of its HP-UX UNIX servers. Prior to the change we had been using Kermit 95 GUI (SSH v2 enabled) for about two months without any issues (After some serious ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Kermit 95 NOT prompting for new password after expiration

  1. Kermit 95 NOT prompting for new password after expiration

    Hi:

    My company has started to implement hardened/expiring passwords on all
    of its HP-UX UNIX servers. Prior to the change we had been using
    Kermit 95 GUI (SSH v2 enabled) for about two months without any issues
    (After some serious scripting work). Anyway, after the expiring
    password change went into effect, we're finding that when a user's
    login expires, they're not being being prompted to change their login.
    As a result of this apparent limitation, they're contacting MIS and
    we're resetting their passwords for their accounts. Obviously, that is
    not a permenant solution to the problem. Anyone have any ideas?

    Note: I've 'heard' that without the password the user's identify can't
    be
    authenticated, so SSH won't allow the unauthenticated person to
    reset
    the password. If this is true, then it would seem that SSH
    password
    authentication and expiring passwords are mutually exclusive.
    :*(

  2. Re: Kermit 95 NOT prompting for new password after expiration

    David Murray wrote:
    > Hi:
    >
    > My company has started to implement hardened/expiring passwords on

    all
    > of its HP-UX UNIX servers. Prior to the change we had been using
    > Kermit 95 GUI (SSH v2 enabled) for about two months without any

    issues
    > (After some serious scripting work). Anyway, after the expiring
    > password change went into effect, we're finding that when a user's
    > login expires, they're not being being prompted to change their

    login.
    > As a result of this apparent limitation, they're contacting MIS and
    > we're resetting their passwords for their accounts. Obviously, that

    is
    > not a permenant solution to the problem. Anyone have any ideas?
    >
    > Note: I've 'heard' that without the password the user's identify

    can't
    > be
    > authenticated, so SSH won't allow the unauthenticated person to
    > reset
    > the password. If this is true, then it would seem that SSH
    > password
    > authentication and expiring passwords are mutually exclusive.
    > :*(


    I have a similar environment to yours with one of my hosts, but I don't
    know if I have the problem or not. The host is an HP 9000/800 running
    HP-UX B.11.00. I access the host via Kermit-95 2.1.3 GUI acting as an
    SSH v2 client with v2 RSA public/private keys.

    Passwords on the host expire roughly every 6 months, but beginning
    about 10 days before expiration I see a message at logon that says my
    password will expire on X date.

    Normally I wait until the password is a day or two from expiring and
    change it using the passwd command. I've never had a problem, but I
    don't know if I've ever actually let the password expire since I've
    been using SSH access. I know the password has expired in the past when
    I was using Kermit as a telnet client, but of course that isn't
    relevant to this.

    I would be willing to let the password expire just to see what happens
    as telnet is still available as a backup, but it just expired this
    month and won't expire again until February.

    I note you refer to "some serious scripting work". Did this include a
    login script? Could the password change dialog be getting lost in the
    script?

    --
    Mark Sapiro msapiro at value dot net The highway is for gamblers,
    San Francisco Bay Area, California better use your sense - B. Dylan


  3. Re: Kermit 95 NOT prompting for new password after expiration

    The primary requirement for password expiration detection
    is that the daemon running on the server incorporate the necessary
    support for the given password authentication database: shadow
    password files, NIS+, AIX passwords, etc. If the daemon does
    not have the necessary support, there is nothing that the client
    can do.

    Recent versions of OpenSSH provide such support. The way the
    end user is prompted for the password change is via the SSH
    keyboard-interactive authentication mechanism. After the
    password is changed the seesion is disconnected and the end user
    must re-connect. Kermit 95 can support this functionality.

    Jeffrey Altman


    --
    -----------------
    This e-mail account is not read on a regular basis.
    Please send private responses to jaltman at mit dot edu

+ Reply to Thread