Error when changing expired password during login - SSH

This is a discussion on Error when changing expired password during login - SSH ; I am running OpenSSH_4.1p1 on AIX 5.3.03. When I reset a user's password, a flag gets set that requires that they change their password as soon as they login. When they login, they get a message stating that they must ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: Error when changing expired password during login

  1. Error when changing expired password during login

    I am running OpenSSH_4.1p1 on AIX 5.3.03. When I reset a user's
    password, a flag gets set that requires that they change their password
    as soon as they login. When they login, they get a message stating
    that they must change their password and then login again - as
    expected. The password change proceeds normally, but as soon as they
    enter the new password for the second time, this message immediately
    appears in the syslog: "sshd[20974]: error: getsockname failed: A file
    descriptor does not refer to an open file" and the system does NOT log
    them off. (20974 is the PID of the new user's shell process.) A
    couple of seconds later, the same message again appears in the syslog.

    I have two other machines with the same levels of AIX and SSH that do
    not do this. I've searched and cannot find any difference in the SSH
    configuration between the various machines. Could this be a file
    permission error, or network configuration, or ...?

    Thanks,
    Steve


  2. Re: Error when changing expired password during login

    On 2005-12-16, Steve wrote:
    > I am running OpenSSH_4.1p1 on AIX 5.3.03. When I reset a user's
    > password, a flag gets set that requires that they change their password
    > as soon as they login. When they login, they get a message stating
    > that they must change their password and then login again - as
    > expected. The password change proceeds normally, but as soon as they
    > enter the new password for the second time, this message immediately
    > appears in the syslog: "sshd[20974]: error: getsockname failed: A file
    > descriptor does not refer to an open file" and the system does NOT log
    > them off. (20974 is the PID of the new user's shell process.) A
    > couple of seconds later, the same message again appears in the syslog.
    >
    > I have two other machines with the same levels of AIX and SSH that do
    > not do this. I've searched and cannot find any difference in the SSH
    > configuration between the various machines. Could this be a file
    > permission error, or network configuration, or ...?


    I've not heard of this before, but I would guess that the difference is
    one of the UsePrivilegeSeparation or UsePAM settings in sshd_config.

    I suggest that you open an OpenSSH bug over at http://bugzilla.mindrot.org
    and we'll see what we can do to help you figure it out. If you do,
    please mention which options you used when you compiled it, and any
    non-default settings in sshd_config. Also, the debug output from sshd
    -ddd would be useful (please create as an attachment rather than pasting
    into the comment field).

    --
    Darren Tucker (dtucker at zip.com.au)
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.

  3. Re: Error when changing expired password during login

    Thanks, Darren. Bug # 1136 has been submitted. BTW, it appears that I
    was mistaken. It is happening now on all three servers.

    Steve


  4. Re: Error when changing expired password during login

    On 2005-12-19, Steve wrote:
    > Thanks, Darren. Bug # 1136 has been submitted. BTW, it appears that I
    > was mistaken. It is happening now on all three servers.


    I see that. I also see that the software in question is IBM's OpenSSH
    package.

    I've also added this to the bug, but for anyone else in this situation:
    you need to report problems with 3rd-party packages to that party unless
    you can also reproduce them with the vanilla OpenSSH compiled from the
    source.

    In many cases the packages contain modifications and since OpenSSH is BSD
    licensed, 3rd parties are allowed to (and, indeed are welcome to) produce
    derivative works without providing source (although many choose to).
    In this case, IBM provides source for an earlier version of their mods
    but not the one you're using.

    --
    Darren Tucker (dtucker at zip.com.au)
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.

  5. Re: Error when changing expired password during login

    FYI, I had been compiling my SSH installs for years, but had some
    problems compiling a new version of OpenSSL a few months ago, which is
    why I decided to go with IBM's precompiled version. I wasn't aware
    that they had made code changes which were not available to the public.

    I was also using a precompiled version of OpenSSL, which was part of
    the problem since the install apparently did not include the header
    files, and OpenSSH will not compile without them. I finally downloaded
    the latest OpenSSL source files and got the compile bugs worked out,
    and I've now managed to build and install OpenSSH from the original
    source as well. The forced password change problem does not appear
    with this setup, so I'm a happy camper once again.

    I dug a little deeper into IBM's "OpenSSH on AIX" project on
    SourceForge, and discovered that this bug was reported to them back in
    October with OpenSSH 4.1 on AIX 5.2, and as yet there is no indication
    that anyone has even looked at it.

    Environment:
    OpenSSL 0.9.8a
    OpenSSH 4.2p1

    Thanks, Darren, for your help.

    Steve


+ Reply to Thread