From venglin@freebsd.lublin.pl  Wed Mar  7 02:31:34 2001
Return-Path: <venglin@freebsd.lublin.pl>
Received: from yeti.ismedia.pl (yeti.ismedia.pl [212.182.96.18])
	by hub.freebsd.org (Postfix) with SMTP id 6449A37B719
	for <FreeBSD-gnats-submit@freebsd.org>; Wed,  7 Mar 2001 02:31:28 -0800 (PST)
	(envelope-from venglin@freebsd.lublin.pl)
Received: (qmail 44254 invoked from network); 7 Mar 2001 10:38:51 -0000
Received: from unknown (HELO lagoon.freebsd.lublin.pl) (212.182.115.11)
  by 0 with SMTP; 7 Mar 2001 10:38:51 -0000
Received: (qmail 3759 invoked from network); 7 Mar 2001 10:30:04 -0000
Received: from unknown (HELO riget.scene.pl) ()
  by 0 with SMTP; 7 Mar 2001 10:30:04 -0000
Received: (qmail 3755 invoked by uid 1001); 7 Mar 2001 10:30:03 -0000
Message-Id: <20010307103003.3754.qmail@riget.scene.pl>
Date: 7 Mar 2001 10:30:03 -0000
From: venglin@freebsd.lublin.pl
Reply-To: venglin@freebsd.lublin.pl
To: FreeBSD-gnats-submit@freebsd.org
Subject: Password expiration doesn't work after upgrade of system
X-Send-Pr-Version: 3.2

>Number:         25586
>Category:       bin
>Synopsis:       Password expiration doesn't work after upgrade of system
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    green
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Mar 07 02:40:01 PST 2001
>Closed-Date:    Sat Jul 12 21:16:06 PDT 2003
>Last-Modified:  Sat Jul 12 21:16:06 PDT 2003
>Originator:     Przemyslaw Frasunek
>Release:        FreeBSD 4.2-STABLE i386
>Organization:
ISMEDIA
>Environment:

	FreeBSD 4.2-STABLE as of 22 Feb 2001. On 4.2-STABLE as of 25 Dec 2000
	everything was ok.

	/etc/login.conf:

standard:\
       	:passwordperiod=90d:\
       	:autodelete=6w:\
       	:passwordtime=4w:\
       	:warnpassword=1w:\
	:tc=default:

	OpenSSH version:

SSH Version OpenSSH_2.3.0, protocol versions 1.5/2.0.
Compiled with SSL (0x0090600f).

	/etc/pam.conf:

# OpenSSH with PAM support requires similar modules.  The session one is
# a bit strange, though...
sshd    auth    sufficient      pam_skey.so
#sshd   auth    sufficient      pam_kerberosIV.so               try_first_pass
sshd    auth    required        pam_unix.so                     try_first_pass
sshd    session required        pam_permit.so

>Description:

	If password is expired, sshd enters in infinite loop flooding
	syslog with such messages and eating all CPU time.

Mar  7 11:25:31 yeti sshd[43628]: PAM pam_chauthtok failed[6]: Permission denied
Mar  7 11:25:31 yeti sshd[43628]: no modules loaded for `sshd' service

	The normal behaviour was to spawn passwd and allow user to change the
	password.

>How-To-Repeat:

	Turn on password expiration, login on account with expired password.

>Fix:

	Unknown.

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->green 
Responsible-Changed-By: kris 
Responsible-Changed-When: Fri Mar 23 21:42:59 PST 2001 
Responsible-Changed-Why:  
Not sure if this is a PAM problem or an OpenSSH problem, but 
punt it to green on the assumption it's the latter 

http://www.freebsd.org/cgi/query-pr.cgi?pr=25586 

From: Sean Kelly <smkelly@zombie.org>
To: freebsd-gnats-submit@FreeBSD.org
Cc: venglin@freebsd.lublin.pl
Subject: Re: bin/25586: Password expiration doesn't work after upgrade of system
Date: Tue, 31 Jul 2001 21:00:09 -0500

 --WIyZ46R2i8wDzkSu
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 bin/25586 describes a problem with users using SSH to access the system
 after their password has expired.  I've recently experienced the exact
 same problem.  Users with expired passwords cause the following to pour
 into syslog until the user disconnects their client:
 
 sshd[43628]: PAM pam_chauthtok failed[6]: Permission denied
 sshd[43628]: no modules loaded for `sshd' service
 
 My pam.conf is identical to /usr/src/etc/pam.conf.
 
 Further investigation shows that this only happens when the user is
 using SSH protocol 2 to access the system.  A user with an expired
 password is able to reset it normally if they are using a SSH1 client
 to access the system.  Use of SSH2 is what causes the errors.
 
 As of this moment, the reason for this is beyond me.
 
 --=20
 Sean Kelly         | PGP KeyID: 77042C7B
 smkelly@zombie.org | http://www.zombie.org
 
 For PGP key, send e-mail with subject "send pgp key"
 
 --WIyZ46R2i8wDzkSu
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.0.6 (FreeBSD)
 
 iD8DBQE7Z2Kp2aukpHcELHsRAlkKAJ9/foZjLZXwr21gETcuFfu5ZGMxwwCeJMKx
 3nsb4QNCy85AZU6Nr9uoy3Y=
 =zvuf
 -----END PGP SIGNATURE-----
 
 --WIyZ46R2i8wDzkSu--

From: Marc Perisa <perisa@porsche.de>
To: freebsd-gnats-submit@FreeBSD.org, venglin@freebsd.lublin.pl
Cc:  
Subject: Re: bin/25586: Password expiration doesn't work after upgrade of
 system
Date: Wed, 29 May 2002 02:58:51 +0200

 Hi,
 
 does this problem still exists in a recent FreeBSD 4-STABLE system?
 
 Thanks
 
 Marc
 
 
 
 
State-Changed-From-To: open->closed 
State-Changed-By: green 
State-Changed-When: Sat Jul 12 21:15:36 PDT 2003 
State-Changed-Why:  
Obsolete. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=25586 
>Unformatted:
