05-16-2004
OpenSSH and password aging
Vesion 3.8.1 of OpenSSH has been compiled on a Solaris 8 host. I am having difficulties in enabling password aging to work from reading /etc/default/passwd and /etc/shadow.
# passwd -f < user-id > works satisfactorily however once a password ages through due course from the settings in /etc/default/passwd and /etc/shadow the users are not prompted to change passwords and the user is logged out immediatetly.
I have searched this site and the WWW looking for a solution, and have followed some suggestions to setup privledged separation.
Has anyone managed to get password aging to work with OpenSSH. Below are my compile options and configuration file.
Many thanks
# ./configure --prefix=/opt/ssh \
> --without-pam --disable-suid-ssh --without-rsh \
> --with-lastlog=/var/adm/lastlog \
> --with-pgp --with-nologin-allow=/etc/nolgin.allow \
> --without-none --with-privsep-user=sshd \
> --with-privsep-path=/var/empty \
> --without-prng --without-rand-helper
# cat sshd_config
# $OpenBSD: sshd_config,v 1.68 2003/12/29 16:39:50 millert Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin:/opt/ssh/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
#Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::
# HostKey for protocol version 1
#HostKey /opt/ssh/etc/ssh_host_key
# HostKeys for protocol version 2
#HostKey /opt/ssh/etc/ssh_host_rsa_key
#HostKey /opt/ssh/etc/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768
# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /opt/ssh/etc/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication (via challenge-response)
# and session processing. Depending on your PAM configuration, this may
# bypass the setting of 'PasswordAuthentication' and 'PermitEmptyPasswords'
#UsePAM no
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
# no default banner path
Banner /etc/issue
# override default of no subsystems
Subsystem sftp /opt/ssh/libexec/sftp-server
10 More Discussions You Might Find Interesting
1. UNIX for Dummies Questions & Answers
If the command passwd -f is used, Users get the below error. I need to force users to change there passwords at initial login. Anyone know what is going on? This is on a Non-Stop UX system
UX:in.login: ERROR: Your password has been expired for too long
UX:in.login: TO FIX: Consult your system... (0 Replies)
Discussion started by: breigner
0 Replies
2. UNIX for Dummies Questions & Answers
hi experts
this is regarding password aging
i tried searching forum but i cudnt locate
given a login id,
i would like to determine whether password ageing has been enabled for that
and
for the login id whether password has been expired on a particular point of time
Thanks (4 Replies)
Discussion started by: teletype_error
4 Replies
3. Shell Programming and Scripting
Hi ,
is there anyway of implementing password aging in NIS?
I would say thanks in advance.
Thanks and regards,
HAA (1 Reply)
Discussion started by: HAA
1 Replies
4. Solaris
Here's the issue. Currently when I run passwd -f "username" on any account, when I try to login with said account I don't get prompted to change my password I just keep getting prompted to input a password. (Of course this works just fine with telnet)Is there something i need to add to... (7 Replies)
Discussion started by: woodson2
7 Replies
5. UNIX for Advanced & Expert Users
All,
I enabled PAM and aged a password, but when I login it asks me for the current password then says password unchanged after entering the current password. Is this a bug? My security dept is going to want me to enable password aging and I'm stuck!
Any help on what the issu is?
... (6 Replies)
Discussion started by: markdjones82
6 Replies
6. AIX
Hello together,
I have a Problem with openssh on AIX 5.3.
We have a big amount of AIX-hosts that run with openssh but one donīt!
Every time we try to connect via ssh to the host, we get a password prompt.
The myth ist, that there is no Error or somthing else.
Here the output of ssh -vvvv to... (14 Replies)
Discussion started by: heifei
14 Replies
7. HP-UX
basically there are several different versions of hpux, this script is for particular version that is non-trusted but also does not use any shadow files.This one is a little harder to do.
Usually the time stamp of the last password change is stored as an epoch number in the shadow file, for... (3 Replies)
Discussion started by: sparcguy
3 Replies
8. UNIX for Advanced & Expert Users
Hello,
I just installed a bran new Centos 6.2 including openssh 5.3.
On older servers I installed older Linux including openssh 4.3,
I am using keygen with private/public keys to log root on all servers (in a LAN) without typing password each time.
To do this, of course, I have my local... (4 Replies)
Discussion started by: epoins
4 Replies
9. Linux
Recently I have been playing with password ageing and the usage of ssh keys. I have found that if usePAM yes (default) is set in the /etc/ssh/sshd_config file then any password ageing and inactiivity can adversely affect a client with ssh keys.
For example:
Set PASS_MAX_DAYS to 60 in... (5 Replies)
Discussion started by: smurphy_it
5 Replies
10. Red Hat
I installed the OpenSSH on my Windows Machine. I want to connect to the remote Linux machine without typing password. I followed the bellow instructions but the SSH needs password to establish the connection yet.
Open CMD and run: ssh-keygen -t rsa (The public and private keys are generated in... (1 Reply)
Discussion started by: manoj.solaris
1 Replies