Login or Register to Ask a Question and Join Our Community


Solaris

PAM, Solaris, Openssh and Forcing a password change

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Operating Systems Solaris PAM, Solaris, Openssh and Forcing a password change
# 1  
Old 03-13-2009
PAM, Solaris, Openssh and Forcing a password change
Here's the issue. Currently when I run passwd -f "username" on any account, when I try to login with said account I don't get prompted to change my password I just keep getting prompted to input a password. (Of course this works just fine with telnet)Is there something i need to add to /etc/pam.conf to make this work?
# 2  
Old 03-13-2009
Details?
What version of Solaris? Solaris 10 comes with ssh, are you using that? If not, what version of openssh? Did you get it from blastwave of sunfreeware?

Is UsePAM set in sshd.conf?
# 3  
Old 03-14-2009
Quote:
Originally Posted by Perderabo
What version of Solaris? Solaris 10 comes with ssh, are you using that? If not, what version of openssh? Did you get it from blastwave of sunfreeware?

Is UsePAM set in sshd.conf?

Hi, thanks for responding. I'm using Solaris 10 and I've replaced Suns ssh with the Solaris portable version of openssh 5.0 from Openssh.com. UsePAM is set to yes in sshd_config.
# 4  
Old 03-15-2009
I'd have expected this behaviour to be the way it was designed.
Thinking about it, you're forcing the user to change their password, but how do you know that the correct user is changing the appropriate password? SSH requires you to authenticate to log in - how can you do this if your forcing a password change on the user? SSH can't determine if you're the user in question.

To put it more simply, you need to be authenticated before you're allowed to change your password, for security reasons. Logging in via SSH would mean that the initial authentication is failing/problematic.

I normally set a simple default password for the user and get them to change it themselves after first logging in - there may be easier ways of doing it, but I haven't found it.
# 5  
Old 03-15-2009
Well it's not what I would expect. Normally, the user is prompted for the old password and this assures that the proper user is making the change. Then the user is prompted for the new password. Because of pam's inelegant design, the session is dropped and then the user must login again with the new password. This works with telnet according to the OP. It also works with Sun's ssh.

Which brings me to the only suggestion I can think of... use Sun's ssh.
# 6  
Old 03-16-2009
Quote:
Originally Posted by Perderabo
Well it's not what I would expect. Normally, the user is prompted for the old password and this assures that the proper user is making the change. Then the user is prompted for the new password. Because of pam's inelegant design, the session is dropped and then the user must login again with the new password. This works with telnet according to the OP. It also works with Sun's ssh.

Which brings me to the only suggestion I can think of... use Sun's ssh.

Yes, this is the expected behavior..however, I'd like to stick with openssh because of the Force directives that work well for our current environment.
# 7  
Old 03-17-2009
Anyone????????
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. Linux

Password hardening using pam

Hi We have a requirement to vary the minimum password criteria by the group to which a user belongs. For example a standard user should have a password with a minimum length of 12 and containing a mix of characters whereas an administrator should have a password with a minimum length of 14... (1 Reply)
Discussion started by: gregsih
1 Replies

2. SuSE

PAM password change failed, pam error 20

Hi, I use a software which can create account on many system or application. One of resource which is managed by this soft his a server SUSE Linux Enterprise Server 10 (x86_64). patch level 3. This application which is an IBM application use ssh to launch command to create account in... (3 Replies)
Discussion started by: scabarrus
3 Replies

3. Solaris

Solaris and PAM Password policy

Hello All, I have Sun DSEE7 (11g) on Solaris 10. I have run idsconfig and initialized ldap client with profile created using idsconfig. My ldap authentication works. Here is my pam.conf # Authentication management # # login service (explicit because of pam_dial_auth) # login ... (3 Replies)
Discussion started by: pandu345
3 Replies

4. Shell Programming and Scripting

Forcing a tty session but getting a password prompt?

I have a master host I want to use to issue some start/stop of LDAP services. I changed the client hosts /etc/sudoers to have Defaults:infra !requiretty The master host kicks off the jobs using the infra account doing a ssh session to the infra account on the clients. #!/bin/ksh ps -fu... (5 Replies)
Discussion started by: J-Man
5 Replies

5. Solaris

Can't change root password in solaris express 11

How do I change root password in SolarisExpress 11? I used passwd while elevated to root and all it changes is the password of the user I am logged in, not te root password. (2 Replies)
Discussion started by: taltamir
2 Replies

6. AIX

OpenSSH always ask for password

Hello together, I have a Problem with openssh on AIX 5.3. We have a big amount of AIX-hosts that run with openssh but one donīt! Every time we try to connect via ssh to the host, we get a password prompt. The myth ist, that there is no Error or somthing else. Here the output of ssh -vvvv to... (14 Replies)
Discussion started by: heifei
14 Replies

7. UNIX for Dummies Questions & Answers

Using PAM to log password changes?

Hi, on a lab computer another user (who is a sudoer) changed my password without my permission. I'm pretty positive it was her, though I can't conclusively prove it. I had my friend, who is another sudoer on the machine, fix it and make me a sudoer now too. So everything is fine, but I want... (0 Replies)
Discussion started by: declannalced
0 Replies

8. Solaris

Solaris 8 - Asks for current root password when trying to change root password.

Hello All, I have several solaris boxes running Solaris 8. When changing root passwords on them, all will simply ask for the new root password to change and of course to re-type the new password. One of the systems however asks for the existing root password before it will display the new password... (8 Replies)
Discussion started by: tferrazz
8 Replies

9. Solaris

password less login from openssh to SSH Secure Shell 3.0.1 Sun solaris 7

Hi, I would like to login from a Sun server running ssh: Sun_SSH_1.1, SSH protocols 1.5/2.0, OpenSSL 0x0090704f to ssh: SSH Secure Shell 3.0.1 on sparc-sun-solaris2.6 How can I achieve this? Thanks a million in advance (1 Reply)
Discussion started by: newbewie
1 Replies

10. Solaris

forcing password change every X days?

Hi, how do I go about forcing users to change their password every, say, 30 days? Aaron (1 Reply)
Discussion started by: amheck
1 Replies
Login or Register to Ask a Question