cannot ssh login with expired password - VMS

This is a discussion on cannot ssh login with expired password - VMS ; I've a VMS user with PWDLIFETIME of 90 days. When the password is expired I cannot login via ssh. No error is given, the output is identical to the case of wrong password, i.e. after 3 attempts, the login process ...

+ Reply to Thread
Results 1 to 13 of 13

Thread: cannot ssh login with expired password

  1. cannot ssh login with expired password

    I've a VMS user with PWDLIFETIME of 90 days. When the password is
    expired I cannot login via ssh. No error is given, the output is
    identical to the case of wrong password, i.e. after 3 attempts,
    the login process is aborted. I have to login via console, where
    I'm informed that the password is expired and I have to change it.

    Is this the expected behaviour?

    thanks
    anton

    --
    Anton Shterenlikht
    Room 2.6, Queen's Building
    Mech Eng Dept
    Bristol University
    University Walk, Bristol BS8 1TR, UK
    Tel: +44 (0)117 928 8233
    Fax: +44 (0)117 929 4423

  2. Re: cannot ssh login with expired password

    It is expected behaviour ( known bug?) on older versions of TCPIP
    services.
    On TCP/IP 5.6 (probably since 5.5) it will allow you to login with an
    expired password by default,
    but you should check SSHD2_CONFIG which says in TCPIP 5.6:

    # V5.5-04: Correct default for AllowVmsLoginWithExpiredPw
    # AllowVmsLoginWithExpiredPw yes
    # AllowNonvmsLoginWithExpiredPw no
    # UserLoginLimit -1

    Regards,
    jose


  3. Re: cannot ssh login with expired password

    On Sep 3, 7:26 am, Anton Shterenlikht wrote:
    > I've a VMS user with PWDLIFETIME of 90 days. When the password is
    > expired I cannot login via ssh. No error is given, the output is
    > identical to the case of wrong password, i.e. after 3 attempts,
    > the login process is aborted. I have to login via console, where
    > I'm informed that the password is expired and I have to change it.
    >
    > Is this the expected behaviour?
    >
    > thanks
    > anton
    >


    It depends on which TCP/IP stack you are using as well as what client
    s/w you are using.

    We ran into this problem in March-2007 while running TCPware-5.7-2 on
    OpenVMS along with Reflection-14 on Windows-XP.

    To fix this problem we needed to apply SSH patches for TCPware along
    with patch 14.2-1 for Reflection.

    Neil Rieck
    Kitchener/Waterloo/Cambridge,
    Ontario, Canada.
    http://www3.sympatico.ca/n.rieck/


  4. Re: cannot ssh login with expired password

    On Mon, Sep 03, 2007 at 05:59:33AM -0700, Jose Baars wrote:
    > It is expected behaviour ( known bug?) on older versions of TCPIP
    > services.
    > On TCP/IP 5.6 (probably since 5.5) it will allow you to login with an
    > expired password by default,
    > but you should check SSHD2_CONFIG which says in TCPIP 5.6:
    >
    > # V5.5-04: Correct default for AllowVmsLoginWithExpiredPw
    > # AllowVmsLoginWithExpiredPw yes
    > # AllowNonvmsLoginWithExpiredPw no
    > # UserLoginLimit -1


    Jose, many thanks

    Yes I'm running TCPIP 5.6 on VMS 8.3. I uncommented these lines

    # V5.5-04: Correct default for AllowVmsLoginWithExpiredPw
    AllowVmsLoginWithExpiredPw yes
    AllowNonvmsLoginWithExpiredPw yes
    UserLoginLimit -1

    but still no luck. Now I'm being told that the password has expired,
    but when I change it, the access is still denied:

    system@xx.xx.xx.xx's password:
    Your password has expired; you must set a new password to log in
    Enter system@xx.xx.xx.xx's old password:
    Enter system@xx.xx.xx.xx's new password:
    Retype system@xx.xx.xx.xx's new password:
    Permission denied (publickey).

    What's more, after I changed the password from the console, I cannot
    login via ssh at all.

    So in the end I had to comment the above 3 lines again.

    --
    Anton Shterenlikht
    Room 2.6, Queen's Building
    Mech Eng Dept
    Bristol University
    University Walk, Bristol BS8 1TR, UK
    Tel: +44 (0)117 928 8233
    Fax: +44 (0)117 929 4423

  5. Re: cannot ssh login with expired password


    On Itanium, there is an ECO kit for TCPIP version 5.6 (ECO1)
    available,
    that you want to install. I'm not sure if this ECO kit is also
    available
    for Alpha, but on our Itanium WITH the eco kit changing the expired
    password with SSH works, I just tested it:

    jose's password:
    Your password has expired; you must set a new password to log in


    New password:

    Verification:
    Authentication successful.


    @disk:[CLUSTER_COMMON]ANNOUNCE.TXT

    ....


  6. Re: cannot ssh login with expired password

    In article <20070903154924.GA48876@mech-aslap33.men.bris.ac.uk>, Anton Shterenlikht writes:
    >On Mon, Sep 03, 2007 at 05:59:33AM -0700, Jose Baars wrote:
    >> It is expected behaviour ( known bug?) on older versions of TCPIP
    >> services.
    >> On TCP/IP 5.6 (probably since 5.5) it will allow you to login with an
    >> expired password by default,
    >> but you should check SSHD2_CONFIG which says in TCPIP 5.6:
    >>
    >> # V5.5-04: Correct default for AllowVmsLoginWithExpiredPw
    >> # AllowVmsLoginWithExpiredPw yes
    >> # AllowNonvmsLoginWithExpiredPw no
    >> # UserLoginLimit -1

    >
    >Jose, many thanks
    >
    >Yes I'm running TCPIP 5.6 on VMS 8.3. I uncommented these lines
    >
    ># V5.5-04: Correct default for AllowVmsLoginWithExpiredPw
    > AllowVmsLoginWithExpiredPw yes
    > AllowNonvmsLoginWithExpiredPw yes
    > UserLoginLimit -1
    >
    >but still no luck. Now I'm being told that the password has expired,
    >but when I change it, the access is still denied:


    The default has changed and that means, that you cannot enable
    what is already enabled. You can only disable it ;-)

    What client do you use?

    We had to upgrade PuTTY to get the password change feature
    (IIRC it was 0.59 instead 0.58 - 0.60 is current)

    So, check your client and maybe upgrade...

    -EPLAN

    PS: PuTTY 0.58 and before was no problem with TCPware SSH and expired
    passwords (but then again, TCPware logs out after a successful pwdchg
    and you have to reconnect with the new password)
    --
    Peter "EPLAN" LANGSTOEGER
    Network and OpenVMS system specialist
    E-mail peter@langstoeger.at
    A-1030 VIENNA AUSTRIA I'm not a pessimist, I'm a realist

  7. Re: cannot ssh login with expired password

    On Mon, Sep 03, 2007 at 07:46:55AM -0700, Neil Rieck wrote:
    > On Sep 3, 7:26 am, Anton Shterenlikht wrote:
    > > I've a VMS user with PWDLIFETIME of 90 days. When the password is
    > > expired I cannot login via ssh. No error is given, the output is
    > > identical to the case of wrong password, i.e. after 3 attempts,
    > > the login process is aborted. I have to login via console, where
    > > I'm informed that the password is expired and I have to change it.
    > >
    > > Is this the expected behaviour?
    > >

    > It depends on which TCP/IP stack you are using as well as what client
    > s/w you are using.
    >
    > We ran into this problem in March-2007 while running TCPware-5.7-2 on
    > OpenVMS along with Reflection-14 on Windows-XP.
    >
    > To fix this problem we needed to apply SSH patches for TCPware along
    > with patch 14.2-1 for Reflection.


    my ssh comes by default with the base FBSD 6.2-STABLE:

    % ssh -V
    OpenSSH_4.5p1 FreeBSD-20061110, OpenSSL 0.9.7e-p1 25 Oct 2004
    %

    Letter "p" in the version number apparently means portable, which
    according to this port's description:

    % pwd
    /usr/ports/security/openssh-portable

    % cat pkg-descr
    OpenBSD's OpenSSH portable version

    Normal OpenSSH development produces a very small, secure, and easy to maintain
    version for the OpenBSD project. The OpenSSH Portability Team takes that pure
    version and adds portability code so that OpenSSH can run on many other
    operating systems (Unfortunately, in particular since OpenSSH does
    authentication, it runs into a *lot* of differences between Unix operating
    systems).

    The portable OpenSSH follows development of the official version, but releases
    are not synchronized. Portable releases are marked with a 'p' (e.g. 3.1p1).
    The official OpenBSD source will never use the 'p' suffix, but will instead
    increment the version number when they hit 'stable spots' in their development.


    WWW: http://www.openssh.org/portable.html
    %

    Using this port I can upgrade to 4.6p1. But I'm not sure if
    that will help. I'm rather confused about this issue, as there seem to be
    several different implementations of ssh, e.g. there are also openssh-3.6.1
    and ssh2-3.2.9.1 in the ports.

    many thanks
    anton

    --
    Anton Shterenlikht
    Room 2.6, Queen's Building
    Mech Eng Dept
    Bristol University
    University Walk, Bristol BS8 1TR, UK
    Tel: +44 (0)117 928 8233
    Fax: +44 (0)117 929 4423

  8. Re: cannot ssh login with expired password

    As I'm confined to a simple Windows PC to test this, I am depending
    on
    binary Windows packages for OpenSSH, I couldn't find anything more
    recent
    than 4.3p2.

    I tested version OpenSSH_3.8.1p1, OpenSSL 0.9.7d 17 Mar 2004,
    and OpenSSH_4.3p2, OpenSSL 0.9.8 05 Jul 2005,
    and both do not work when a password is expired.

    Putty 6.0 does work.



  9. Re: cannot ssh login with expired password

    In article <20070903112651.GA48190@mech-aslap33.men.bris.ac.uk>, Anton Shterenlikht writes:
    > I've a VMS user with PWDLIFETIME of 90 days. When the password is
    > expired I cannot login via ssh. No error is given, the output is
    > identical to the case of wrong password, i.e. after 3 attempts,
    > the login process is aborted. I have to login via console, where
    > I'm informed that the password is expired and I have to change it.
    >
    > Is this the expected behaviour?


    SSH does not account for the handshake needed to force password
    change at login. How much you can get around this probably depends
    on which SSH you're using.

    Using Multinet I've been able to put code in sylogin.com that will
    detect the situation and do a "set password" command, but due to the
    limits of what "set password" returns to DCL I had to limit the code
    to forcing a logout after the change whether the change happened or
    not. What I have is still not fully reliable, but meets the needs
    for our site.

    Simply prohibiting ssh login when a password is expired is an
    available option, but not particularly desireable since SSH users
    really need to be able to change their passwords via SSH. What's
    the point of using SSH if you have to change passwords via a
    non-encrypted protocol (not everyone has access to local terminals)?

    The fault lies in the current definition of the SSH protocol.



  10. Re: cannot ssh login with expired password

    On Tue, 04 Sep 2007 05:11:40 -0700, Jose Baars wrote:

    > As I'm confined to a simple Windows PC to test this, I am depending
    > on
    > binary Windows packages for OpenSSH, I couldn't find anything more
    > recent
    > than 4.3p2.
    >
    > I tested version OpenSSH_3.8.1p1, OpenSSL 0.9.7d 17 Mar 2004,
    > and OpenSSH_4.3p2, OpenSSL 0.9.8 05 Jul 2005,
    > and both do not work when a password is expired.
    >
    > Putty 6.0 does work.
    >

    That should be 0.60



    --
    PL/I for OpenVMS
    www.kednos.com

  11. Re: cannot ssh login with expired password


    > > Putty 6.0 does work.

    >
    > That should be 0.60
    >

    Sorry, I stand corrected, I was off by a factor 10. Can you imagine
    the speeding tickets I get?



  12. Re: cannot ssh login with expired password

    On Sep 4, 9:12 am, koeh...@eisner.nospam.encompasserve.org (Bob
    Koehler) wrote:
    > In article <20070903112651.GA48...@mech-aslap33.men.bris.ac.uk>, Anton Shterenlikht writes:
    >
    > > I've a VMS user with PWDLIFETIME of 90 days. When the password is
    > > expired I cannot login via ssh. No error is given, the output is
    > > identical to the case of wrong password, i.e. after 3 attempts,
    > > the login process is aborted. I have to login via console, where
    > > I'm informed that the password is expired and I have to change it.

    >
    > > Is this the expected behaviour?

    >
    > SSH does not account for the handshake needed to force password
    > change at login. How much you can get around this probably depends
    > on which SSH you're using.
    >
    > Using Multinet I've been able to put code in sylogin.com that will
    > detect the situation and do a "set password" command, but due to the
    > limits of what "set password" returns to DCL I had to limit the code
    > to forcing a logout after the change whether the change happened or
    > not. What I have is still not fully reliable, but meets the needs
    > for our site.
    >
    > Simply prohibiting ssh login when a password is expired is an
    > available option, but not particularly desireable since SSH users
    > really need to be able to change their passwords via SSH. What's
    > the point of using SSH if you have to change passwords via a
    > non-encrypted protocol (not everyone has access to local terminals)?
    >
    > The fault lies in the current definition of the SSH protocol.
    >


    I might be totally out to lunch here but I was led to believe that
    SSH2 had these features, and that is why most client s/w first tried
    to connect using SSH2 before falling back to plain old SSH.

    So your statement "The fault lies in the current definition of the SSH
    protocol" is literally true. But we have got this expired password
    thing working using the latest versions of TCPware along eith
    Reflection-WRQ (now Attachmate)

    NSR


  13. Re: cannot ssh login with expired password

    On Tue, Sep 04, 2007 at 08:30:10PM -0700, Neil Rieck wrote:
    > On Sep 4, 9:12 am, koeh...@eisner.nospam.encompasserve.org (Bob
    > Koehler) wrote:
    > > In article <20070903112651.GA48...@mech-aslap33.men.bris.ac.uk>, Anton Shterenlikht writes:
    > >
    > > The fault lies in the current definition of the SSH protocol.

    >
    > I might be totally out to lunch here but I was led to believe that
    > SSH2 had these features, and that is why most client s/w first tried
    > to connect using SSH2 before falling back to plain old SSH.
    >
    > So your statement "The fault lies in the current definition of the SSH
    > protocol" is literally true. But we have got this expired password
    > thing working using the latest versions of TCPware along eith
    > Reflection-WRQ (now Attachmate)
    >


    many thanks to all who replied with clarifications.

    --
    Anton Shterenlikht
    Room 2.6, Queen's Building
    Mech Eng Dept
    Bristol University
    University Walk, Bristol BS8 1TR, UK
    Tel: +44 (0)117 928 8233
    Fax: +44 (0)117 929 4423

+ Reply to Thread