Expired password, openssh not invoking password change. - SSH

This is a discussion on Expired password, openssh not invoking password change. - SSH ; It looks like I've run into a problem. I can't be sure if this is a software bug or a designed feature with OpenSSH. I am currently running OpenSSH_4.2p1, OpenSSL 0.9.7i 14 Oct 2005. We have an OpenLDAP backend for ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Expired password, openssh not invoking password change.

  1. Expired password, openssh not invoking password change.

    It looks like I've run into a problem. I can't be sure if this is a
    software bug or a designed feature with OpenSSH. I am currently
    running
    OpenSSH_4.2p1, OpenSSL 0.9.7i 14 Oct 2005.

    We have an OpenLDAP backend for user authentication and everything is
    working.

    The problem is this.. I need to require my users to change their
    password
    on initial login to the system.

    I have attempted to use passwd with the -e flag and that fails saying:

    >-root-> passwd -e testuser

    Authentication failure.
    LDAP information update failed: Operations error
    Error while changing password expiry information.

    Now, if I use the chage function with the -M flag it seems to work.

    >-root-> chage -M 0 -D "cn=administrator,dc=motogroup,dc=com" testuser

    Enter LDAP Password:
    Aging information changed.

    When I attempt to login I get this:

    login as: testuser
    Using keyboard-interactive authentication.
    Password:
    You are required to change your LDAP password immediately.

    Last login: Mon Nov 28 09:03:49 2005 from rbecker.motogroup.com

    >-linuxadm03:intel(/dev/pts/0):/home/testuser
    >-testuser->


    It never forces me to change my password. Nothing in the logs say
    there
    are any problems, files not found or errors. Does anyone have any idea
    why
    OpenSSH isn't calling the passwd application when the users password is
    expired?

    Thanks for your help.

    Rob Becker


  2. Re: Expired password, openssh not invoking password change.

    On 2005-11-28, robbecker@gmail.com wrote:
    > It looks like I've run into a problem. I can't be sure if this is a
    > software bug or a designed feature with OpenSSH. I am currently
    > running OpenSSH_4.2p1, OpenSSL 0.9.7i 14 Oct 2005.


    It's probably a bug somewhere, although it may or may not be in OpenSSH.

    [...]
    > When I attempt to login I get this:
    >
    > login as: testuser
    > Using keyboard-interactive authentication.
    > Password:
    > You are required to change your LDAP password immediately.
    >
    > Last login: Mon Nov 28 09:03:49 2005 from rbecker.motogroup.com


    It looks like you are using PAM?

    > It never forces me to change my password. Nothing in the logs say there
    > are any problems, files not found or errors. Does anyone have any idea
    > why OpenSSH isn't calling the passwd application when the users password
    > is expired?


    Based on the output here, I would guess it's because your pam_acct_mgmt()
    is not saying that the the password is expired (ie returning PAM_SUCCESS
    rather than PAM_NEW_AUTHTOK_REQD).

    If you run sshd in debug mode (eg "path/to/sshd -ddde -p 2022" then connect
    to port 2022) you will see what PAM is returning (look for "pam_acct_mgmt =
    [something]").

    If that's not it, please open an OpenSSH bug at
    http://bugzilla.mindrot.org/ and we'll see what we can do to sort it out.
    If you do, please include the compile-time options and any non-default
    sshd_config options you used. Also, a copy of the PAM config for sshd
    would also be useful, if you are in fact using PAM.

    --
    Darren Tucker (dtucker at zip.com.au)
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.

  3. Re: Expired password, openssh not invoking password change.

    Looks like you're right. PAM is returning SUCCESS. Here are the
    snipit's from the debugs.

    debug3: PAM: sshpam_query entering
    debug3: ssh_msg_recv entering
    debug1: do_pam_account: called
    debug3: PAM: sshpam_thread_conv entering, 1 messages
    debug3: ssh_msg_send: type 3
    debug3: ssh_msg_recv entering
    debug3: PAM: do_pam_account pam_acct_mgmt = 0 (Success)
    debug3: ssh_msg_send: type 0
    debug1: PAM: You are required to change your LDAP password immediately.

    debug3: PAM: import_environments entering
    debug3: sshpam_password_change_required 0
    debug3: PAM: num env strings 0
    debug1: PAM: num PAM env strings 0
    debug3: mm_request_send entering: type 51
    debug3: mm_request_receive entering
    debug3: mm_sshpam_query: pam_query returned 0


    So, what does this mean to me? PAM is broken?
    Here is my PAM sshd config file.

    #%PAM-1.0
    auth required pam_nologin.so
    auth sufficient pam_ldap.so
    auth required pam_unix2.so use_first_pass debug # set_secrpc
    account required pam_unix2.so
    account required pam_access.so
    password required pam_pwcheck.so
    password required pam_ldap.so use_authtok
    password required pam_unix2.so use_first_pass use_authtok
    session required pam_unix2.so
    session required pam_limits.so
    session required pam_env.so
    session optional pam_mkhomedir.so skel=/etc/skel
    umask=0022
    session optional pam_mail.so


    My compile time options for openSSH were "--use-md5-passwords
    --use-pam" that was it.

    Thanks a bunch for the help.

    -Rob Becker.


  4. Re: Expired password, openssh not invoking password change.

    On 2005-12-01, robbecker@gmail.com wrote:
    [snip]

    > So, what does this mean to me? PAM is broken?


    Probably just misconfigured.

    > account required pam_unix2.so
    > account required pam_access.so
    > password required pam_pwcheck.so
    > password required pam_ldap.so use_authtok


    You don't have pam_ldap in your account stack, so it won't be checked
    during pam_acct_mgmt().

    --
    Darren Tucker (dtucker at zip.com.au)
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.

+ Reply to Thread