Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 83585 - SSH Does not conform to Password Expiration Standard
Summary: SSH Does not conform to Password Expiration Standard
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: openssh
Version: 8.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks: 98330 107562
TreeView+ depends on / blocked
 
Reported: 2003-02-05 20:20 UTC by Sherif Abdelgawad
Modified: 2013-08-06 03:19 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2004-05-12 04:23:35 UTC


Attachments (Terms of Use)
patch to allow password expiration to work in non separated mode (deleted)
2003-09-15 18:49 UTC, Neil Horman
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2004:114 normal SHIPPED_LIVE Updated openssh packages fix password expiration bugs 2004-05-12 04:00:00 UTC

Description Sherif Abdelgawad 2003-02-05 20:20:16 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20020823
Netscape/7.0

Description of problem:
SSH drops/close the connection if the user authenticating has an expired
password, rather than prompting for changing the password as it should be.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.# useradd test

2.# chage test
Changing the aging information for test
Enter the new value, or press return for the default

        Minimum Password Age [0]:
        Maximum Password Age [90]:
        Last Password Change (YYYY-MM-DD) [2002-12-05]: 2002-11-01
        Password Expiration Warning [7]:
        Password Inactive [-1]:
        Account Expiration Date (YYYY-MM-DD) [1969-12-31]:

Change the Last updates password to be more than the Max Password age
(i.e. force to fall in expiration)

3.# ssh test@0
test@0's password:
Connection to 0 closed by remote host.
Connection to 0 closed.

    

Actual Results:  Close connection 

Expected Results:  prompt for new password like

# ssh test@0
test@0's password:
You are required to change your password immediately (password aged)
Warning: Your password has expired, please change it now
Changing password for test
(current) UNIX password:

Additional info: The the promlem does not exists on the ssh version on AS2.1

Comment 1 Sherif Abdelgawad 2003-02-05 20:27:35 UTC
it seems to be only on OpenSSH 3.4p1

Comment 2 Antonio Pérez Pérez 2003-06-09 15:57:46 UTC
This problem also exists in Redhat9 openssh-server-3.5p1-6.

You will find a report for this bug in OpenSSH bugzilla as #423: 
"Workaround for pw change in privsep mode (3.5.p1)"
(http://bugzilla.mindrot.org/show_bug.cgi?id=423)

I've found this through a message from Darren Tucker
(http://www.derkeiler.com/Newsgroups/comp.security.ssh/2003-01/0556.html). 
He also gives a patch for this bug (patch #198) that I've tested in Redhat9
openssh-server 3.5p1-6 with no success.

Is there any oficial solution to this bug?

Comment 3 Peter Åstrand 2003-06-16 08:37:11 UTC
This would'nt be much of a problem if password expiration worked withed PrivSep
disabled, but it doesn't. 

Maybe the patch 
http://www.zip.com.au/~dtucker/openssh/openssh-3.6.1p2-passexpire20.patch helps. 

Comment 4 Eric Hopper 2003-08-08 16:38:03 UTC
This is a problem in RH 9 and Severn as well.


Comment 5 Neil Horman 2003-09-15 18:49:59 UTC
Created attachment 94503 [details]
patch to allow password expiration to work in non separated mode

I've done some looking into the attached patches for this bug, and it seems to
me that without the aforementioned helper app, getting this to work in
non-separated mode is going to take some time.	In the interim, I've found that
the only reason 3.5p1 doesn't work in non-separated mode is that the case for
PAM_NEW_AUTHTOK_REQD in do_pam_account was #if 0-ed out.  Anywho, the attached
patch corrects this, and  after that, setting UsePrivilegeSeparation in
sshd_config to no allows password expiration to work.

Comment 6 Chris Stankaitis 2004-01-05 16:04:03 UTC
tested, and this is also still an issue with RH9 openssh-3.5p1-11,
fedora core 1 openssh-3.6.1p2-19 and RHEL 3 openssh-3.6.1p2-18

Comment 9 Phil Knirsch 2004-03-04 14:49:43 UTC
It has been fixed in FC2 already and an errata for RHEL3 has been
issued and should be released within the next few weeks.

Thanks,

Read ya, Phil

Comment 13 John Flanagan 2004-05-12 04:23:35 UTC
An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2004-114.html



Note You need to log in before you can comment on or make changes to this bug.