SUMMARY: SunSSH problem with expired passwords

From: Joshua Gallant <>
Date: Tue Jun 26 2007 - 09:53:03 EDT
Hello Everyone,

Thanks to everyone who responded.  With all the little
pieces offered I seem to have put together the answers
I was looking for.

I guess older versions of SSH would allow a connection
to the machine when a password was expired.  The
machine would then prompt for a new password or
disconnect if a password change failed.

With the new versions of SSH the system will not allow
that connection with the expired password using
password authentication.

The correct way to go about this is to use
keyboard-interactive authentication which works fine. 
The problem is the client software I use doesn't
support that at this time.  With the emulation the
system uses there just aren't a lot of options.

Thanks again!


--- Joshua Gallant <> wrote:

> Hi Everyone,
> I've tried searching for answers on google but have
> come up empty so figured I would try the mailing
> list
> route next.  Here's my dilemma:
> My company currently uses a terminal emulation
> software called anzio to connect to a Solaris 9 4/03
> box via SSH.  The server runs "SSH Version
> Sun_SSH_1.0.1" for server software and things work
> perfectly.
> We're in the process of configuring a new machine
> running Solaris 10 11/06 with "Sun_SSH_1.1" running.
> The problem arises when a users password has
> expired. 
> More specifically, if we use the "passwd -f" option
> to
> set a user to change their password during the next
> login then their login is rejected.
> I've run the server in debug mode and used a
> SecureCRT
> session with trace options turned on and found that
> when the password is expired the server switches to
> keyboard-interactive mode.  It seems that the client
> software we use supports password mode but not
> keyboard-interactive.
> Here are a few relevant settings from my sshd_config
> file:
> # To disable tunneled clear text passwords, change
> PasswordAuthentication to no.
> PasswordAuthentication yes
> # Use PAM via keyboard interactive method for
> authentication.
> # Depending on the setup of pam.conf(4) this may
> allow
> tunneled clear text
> # passwords even when PasswordAuthentication is set
> to
> no. This is dependent
> # on what the individual modules request and is out
> of
> the control of sshd
> # or the protocol.
> PAMAuthenticationViaKBDInt yes
> It seems that the new version of SSH works
> differently
> than the old.  Anyone else run into this problem? 
> Anyone have any ideas that might help me?
> Thanks in advance for any help you can offer.
> Josh
> _______________________________________________
> sunmanagers mailing list
sunmanagers mailing list
Received on Tue Jun 26 09:53:24 2007

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:44:06 EST