Visit Our UNIX and Linux User Community


Password Expiry Promtps Not Visable


 
Thread Tools Search this Thread
Operating Systems Solaris Password Expiry Promtps Not Visable
# 1  
Old 09-28-2009
Password Expiry Promtps Not Visable

Hi all.

On our systems we use the password expiry through the shadow file. This was recently implemented and the first round of expiry has just arrived.

The problem that i have is that when users are attempting to log on to a box (directory through putty) there are no prompts displayed if your new password does not meet the appropriate criteria.

For example, if you enter a 7 digit password as the new one, there should be a message advising that 'Password too short - must be at least 8 characters.'. this is not visable when logging directly on to a box using putty. However, if you log on to another box and ssh to the box with the expired password, it does display that message.

The problem i have is that all will expire at the same time so the ssh option would be out of the question for majority of users!

Anyone got any ideas why this would be happening through putty or have any other ideas?

Thanks in advance

Boneyard.
# 2  
Old 09-28-2009
Can you kindly provide the Solaris version? And btw, tne users should have a valid password before they can ssh right? Meaning the a/c is not locked..
Dont get your question tat clearly.

Last edited by incredible; 09-28-2009 at 09:14 AM..
# 3  
Old 09-28-2009
Quote:
Originally Posted by incredible
Can you kindly provide the Solaris version?
sorry....i stupidly forgot all that important info ;-)

running Solairs 10

putty version is .60

it just seems really odd....i've now been banging my head against the wall for a couple of hours now and just cant see what it could be. at one point i thought maybe its struggling with rsa key cache for putty, so deleted that but it still doesn't get me any further

all help appreciated.

thanks
# 4  
Old 09-28-2009
Can you post us the /etc/default/passwd and /etc/ssh/sshd_config (impt param) files?
What are the typical entries?
eg
PASSREQ=yes
PASSLENGTH=7
MAXWEEKS=8
MINWEEKS=0
WARNWEEKS=1
MAXRETRY=5
HISTORY=5
# 5  
Old 09-28-2009
Here you go.

MAX/MIN WEEKS are blank becauses we are using the shadow file to track password expiry so that not all user a effected.

MAXWEEKS=
MINWEEKS=
PASSLENGTH=8
HISTORY=10
MINALPHA=4
MINDIFF=7
MINDIGIT=1
MINSPECIAL=0
MINUPPER=1
MINLOWER=2
MAXREPEATS=2
WHITESPACE=YES
NAMECHECK=YES
DICTIONDBDIR=/var/passwd
DICTIONLIST=/usr/share/lib/dict/words


Protocol 2

# Both v1 and v2 (not recommended)
#Protocol 2,1

# Only v1 (not recommended)
#Protocol 1

# Listen port (the IANA registered port number for ssh is 22)
Port 22

# The default listen address is all interfaces, this may need to be changed
# if you wish to restrict the interfaces sshd listens on for a multi homed host.
# Multiple ListenAddress entries are allowed.

# IPv4 only
#ListenAddress 0.0.0.0
# IPv4 & IPv6
ListenAddress ::

# Port forwarding
AllowTcpForwarding no

# If port forwarding is enabled, specify if the server can bind to INADDR_ANY.
# This allows the local port forwarding to work when connections are received
# from any remote host.
GatewayPorts no

# X11 tunneling options
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes

# The maximum number of concurrent unauthenticated connections to sshd.
# start:rate:full see sshd(1) for more information.
# The default is 10 unauthenticated clients.
#MaxStartups 10:30:60

# Banner to be printed before authentication starts.
Banner /etc/issue

# Should sshd print the /etc/motd file and check for mail.
# On Solaris it is assumed that the login shell will do these (eg /etc/profile).
PrintMotd no

# KeepAlive specifies whether keep alive messages are sent to the client.
# See sshd(1) for detailed description of what this means.
# Note that the client may also be sending keep alive messages to the server.
KeepAlive yes

# Syslog facility and level
SyslogFacility auth
LogLevel info

#
# Authentication configuration
#

# Host private key files
# Must be on a local disk and readable only by the root user (root:sys 600).
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key

# Default Encryption algorithms and Message Authentication codes
#Ciphers aes128-ctr,aes128-cbc,arcfour,3des-cbc,blowfish-cbc
#MACS hmac-md5,hmac-sha1,hmac-sha1-96,hmac-md5-96

# Length of the server key
# Default 768, Minimum 512
ServerKeyBits 768

# sshd regenerates the key every KeyRegenerationInterval seconds.
# The key is never stored anywhere except the memory of sshd.
# The default is 1 hour (3600 seconds).
KeyRegenerationInterval 3600

# Ensure secure permissions on users .ssh directory.
StrictModes yes

# Length of time in seconds before a client that hasn't completed
# authentication is disconnected.
# Default is 600 seconds. 0 means no time limit.
LoginGraceTime 600

# Maximum number of retries for authentication
# Default is 6. Default (if unset) for MaxAuthTriesLog is MaxAuthTries / 2
MaxAuthTries 6
MaxAuthTriesLog 3

# Are logins to accounts with empty passwords allowed.
# If PermitEmptyPasswords is no, pass PAM_DISALLOW_NULL_AUTHTOK
# to pam_authenticate(3PAM).
PermitEmptyPasswords no

# To disable tunneled clear text passwords, change PasswordAuthentication to no.
PasswordAuthentication yes

# Use PAM via keyboard interactive method for authentication.
# Depending on the setup of pam.conf(4) this may allow tunneled clear text
# passwords even when PasswordAuthentication is set to no. This is dependent
# on what the individual modules request and is out of the control of sshd
# or the protocol.
PAMAuthenticationViaKBDInt yes

# Are root logins permitted using sshd.
# Note that sshd uses pam_authenticate(3PAM) so the root (or any other) user
# maybe denied access by a PAM module regardless of this setting.
# Valid options are yes, without-password, no.
PermitRootLogin without-password

# sftp subsystem
Subsystem sftp /usr/lib/ssh/sftp-server


# SSH protocol v1 specific options
#
# The following options only apply to the v1 protocol and provide
# some form of backwards compatibility with the very weak security
# of /usr/bin/rsh. Their use is not recommended and the functionality
# will be removed when support for v1 protocol is removed.

# Should sshd use .rhosts and .shosts for password less authentication.
IgnoreRhosts yes
RhostsAuthentication no

# Rhosts RSA Authentication
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts.
# If the user on the client side is not root then this won't work on
# Solaris since /usr/bin/ssh is not installed setuid.
RhostsRSAAuthentication no

# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication.
#IgnoreUserKnownHosts yes

# Is pure RSA authentication allowed.
# Default is yes
RSAAuthentication yes
# 6  
Old 09-28-2009
Quote:
Originally Posted by boneyard
this is not visable when logging directly on to a box using putty.
Please correct me if Im wrong. In this stmt, are you referring to as logging in directly to the console of the box using putty on your notebook?
# 7  
Old 09-28-2009
yeah. logging on to a box using putty prompts for the password change but if i enter a password string that isn't long enough, it doesn't mention the error, just bombs out to the login prompt again.

however, if i hop on to a different box and ssh to the one in question, it will notify me that the new password chosen does not meeting the required criteria and must be 8 characters long.

does that make sense?

thanks

Previous Thread | Next Thread
Test Your Knowledge in Computers #223
Difficulty: Easy
In September 2019, according to NetMarketShare, Windows had just over 87% of the global desktop market, followed by Mac OS at close to 10%, and Linux in third place at around 2%.
True or False?

10 More Discussions You Might Find Interesting

1. Red Hat

Root password expiry script

Hi Guys In red hat linux server is there a way to alert via email when the root password is about to expire ? As per security policy in our environment root password will expire in 90 days. Example : It would be better if we receive a email on 7th november stating that the root password... (1 Reply)
Discussion started by: newtoaixos
1 Replies

2. Solaris

Command to find out password expiry

Hi, I would like to know is there command which will tell me when password will be expire and when last password was changed ? like on linux chage -l <username? (2 Replies)
Discussion started by: manoj.solaris
2 Replies

3. Shell Programming and Scripting

Password expiry report

Hi All, I want to write a script that will send the alert when linux server password expiry for user 'x' is less than 12 days. I have written the below script but this is not working for expiry date 04 july script;- P_EXPIRY_DATE=`chage -l msdp| grep 'Password expires' | awk ' {... (2 Replies)
Discussion started by: abhigrkist
2 Replies

4. Solaris

disable password expiry

Hi How do i disable password expiration on ldap? It runs on Solaris 10 machine. Thanks in advance. (3 Replies)
Discussion started by: hrist
3 Replies

5. Shell Programming and Scripting

password expiry notification

Hi, Could someone please let me know how to write script for passwd expiry notification on salaries boxes. Regards Dnyan (1 Reply)
Discussion started by: dnyan
1 Replies

6. Solaris

SSH Password-less login fails on password expiry.

Hi Gurus I have a few Sol 5.9 servers and i have enabled password less authentication between them for my user ID. Often i have found that when my password has expired,the login fails. Resetting my password reenables the keys. Do i need to do something to avoid this scenario or is this... (2 Replies)
Discussion started by: Renjesh
2 Replies

7. Solaris

Notification of password expiry.

Hi, Is there any way of sending an email to a number of users indicating that the passwords of user accounts will expire? Currently we have a test server with a number of oracle test accounts on it. Each of these accounts correspond to an instance of Oracle on the server. These... (2 Replies)
Discussion started by: sparcman
2 Replies

8. Solaris

Notification of password expiry.

Hi, Is there any way of sending an email to a number of users indicating that the passwords of user accounts will expire? Currently we have a test server with a number of oracle test accounts on it. Each of these accounts correspond to an instance of Oracle on the server. These... (2 Replies)
Discussion started by: sparcman
2 Replies

9. AIX

How to check password expiry in AIX?

Hi All, Could anyone please help me with the command or script for checking the password expiry for a particular userid on AIX. Regards, Sanjay...:) (5 Replies)
Discussion started by: SanjayPasum
5 Replies

10. UNIX for Advanced & Expert Users

password expiry

Hi, under SUN Unix, in which file the expiry date of a user password is indicated ? Many thanks. (2 Replies)
Discussion started by: big123456
2 Replies

Featured Tech Videos