From nobody@FreeBSD.org  Mon Feb 25 01:13:28 2002
Return-Path: <nobody@FreeBSD.org>
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 9A0EC37B400
	for <freebsd-gnats-submit@FreeBSD.org>; Mon, 25 Feb 2002 01:13:27 -0800 (PST)
Received: (from nobody@localhost)
	by freefall.freebsd.org (8.11.6/8.11.6) id g1P9DRI60284;
	Mon, 25 Feb 2002 01:13:27 -0800 (PST)
	(envelope-from nobody)
Message-Id: <200202250913.g1P9DRI60284@freefall.freebsd.org>
Date: Mon, 25 Feb 2002 01:13:27 -0800 (PST)
From: Jacques Marneweck <jacques@ataris.co.za>
To: freebsd-gnats-submit@FreeBSD.org
Subject: SSHing with expired password does not bring up passwd anymore to change password
X-Send-Pr-Version: www-1.0

>Number:         35310
>Category:       misc
>Synopsis:       SSHing with expired password does not bring up passwd anymore to change password
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    des
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Feb 25 01:20:00 PST 2002
>Closed-Date:    Mon Jan 26 11:31:12 PST 2004
>Last-Modified:  Thu Mar 11 03:50:13 PST 2004
>Originator:     Jacques Marneweck
>Release:        4.5-STABLE
>Organization:
Ataris Technologies
>Environment:
FreeBSD shell.ataris.co.za 4.5-STABLE FreeBSD 4.5-STABLE #7: Thu Feb 21 00:45:25
 SAST 2002     jacques@shell.ataris.co.za:/usr/obj/usr/src/sys/SHELL  i386
>Description:
When a users password expires and they ssh into the server it used to ask prompt them to enter their old password, enter their new password and reenter their new password.  Since 4.4-STABLE it no longer asks for the password, which means that I have to go and disable password expiry for each user whenever it locks them out of the server bacause their password has expired.
>How-To-Repeat:
Change the 0 in the password expired field to 1 and login.  It will tell you that the password has expired and hang there.
>Fix:
      
>Release-Note:
>Audit-Trail:

From: John-David Childs <jchilds@digitalglobe.com>
To: freebsd-gnats-submit@freebsd.org
Cc: jacques@ataris.co.za
Subject: Re: misc/35310: SSHing with expired password does not bring up
	passwd anymore to change password
Date: 06 Mar 2002 15:28:16 -0700

 --=-1F4HDUJDGzXlcrreY99Z
 Content-Type: text/plain
 Content-Transfer-Encoding: quoted-printable
 
 FWIW: I just tried this with FreeBSD 4.5-RELEASE, and sshd works as
 expected. (it brings up an "Old Password: " prompt).  (However, the
 password/account expire field does NOT seem to work with ftpd).
 
 /etc/pam.conf:
 
 # OpenSSH with PAM support requires similar modules.  The session one is
 # a bit strange, though...
 sshd    auth    sufficient      pam_skey.so
 #sshd   auth    sufficient      pam_kerberosIV.so             =20
 try_first_pass
 sshd    auth    required        pam_unix.so                   =20
 try_first_pass
 sshd    account required        pam_unix.so
 sshd    password required       pam_permit.so
 sshd    session required        pam_permit.so
 # "csshd" is for challenge-based authentication with sshd (TIS auth,
 etc.)
 csshd   auth    required        pam_skey.so
 
 
 
 
 --=-1F4HDUJDGzXlcrreY99Z
 Content-Type: application/pgp-signature; name=signature.asc
 Content-Description: This is a digitally signed message part
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.0.6 (GNU/Linux)
 Comment: For info see http://www.gnupg.org
 
 iD8DBQA8hpgAJ7ReRH7ts78RAmDXAJ4w4oC9TH04Ri+SkhoJzntolCcQKwCgnvOn
 d5eCJK0gMMxufeNm31eFOKk=
 =zM1D
 -----END PGP SIGNATURE-----
 
 --=-1F4HDUJDGzXlcrreY99Z--
 
Responsible-Changed-From-To: freebsd-bugs->des 
Responsible-Changed-By: kris 
Responsible-Changed-When: Sat Jul 12 17:54:26 PDT 2003 
Responsible-Changed-Why:  
Assign to OpenSSH maintainer 

http://www.freebsd.org/cgi/query-pr.cgi?pr=35310 

From: des@des.no (Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?=)
To: freebsd-gnats-submit@freebsd.org
Cc:  
Subject: Re: misc/35310
Date: Mon, 14 Jul 2003 12:53:58 +0200

 Does this still occur with more recent versions of FreeBSD / OpenSSH?
 
 DES
 --=20
 Dag-Erling Sm=F8rgrav - des@des.no
State-Changed-From-To: open->closed 
State-Changed-By: des 
State-Changed-When: Mon Jan 26 11:31:11 PST 2004 
State-Changed-Why:  
feedback timeout 

http://www.freebsd.org/cgi/query-pr.cgi?pr=35310 

From: "Jacques Marneweck" <jacques@php.net>
To: <freebsd-gnats-submit@FreeBSD.org>,
	"Jacques Marneweck" <jacques@ataris.co.za>
Cc:  
Subject: Re: misc/35310: SSHing with expired password does not bring up passwd anymore to change password
Date: Tue, 27 Jan 2004 21:13:54 +0200

 Hi,
 
 Still the same situation with FreeBSD 4.9-STABLE.
 
 Regards
 --jm
 

From: Steve Wills <steve@stevenwills.com>
To: freebsd-gnats-submit@FreeBSD.org, jacques@ataris.co.za,
	des@FreeBSD.org
Cc:  
Subject: Re: misc/35310: SSHing with expired password does not bring up passwd anymore to change password
Date: Wed, 10 Mar 2004 22:19:01 -0500

 I'm seeing the same thing on 4.9-RELEASE-p3. I'm happy to provide any
 info needed to help get this fixed.
 
 Steve

From: des@des.no (Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?=)
To: Steve Wills <steve@stevenwills.com>
Cc: freebsd-gnats-submit@freebsd.org
Subject: Re: misc/35310: SSHing with expired password does not bring up
 passwd anymore to change password
Date: Thu, 11 Mar 2004 12:45:24 +0100

 Steve Wills <steve@stevenwills.com> writes:
 > I'm seeing the same thing on 4.9-RELEASE-p3. I'm happy to provide any
 > info needed to help get this fixed.
 
 There's no "info needed to help get this fixed"; password expiry is
 simply not implemented for PAM authentication in the OpenSSH version
 present in FreeBSD 4.  If you absolutely must have it, turn off PAM
 ("ChallengeResponseAuthentication no" in /etc/ssh/sshd_config) or
 switch to FreeBSD 5.
 
 DES
 --=20
 Dag-Erling Sm=F8rgrav - des@des.no
>Unformatted:
