[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Security trough paranoia

>>>>> "Ethan" == Ethan Benson <erbenson@alaska.net> writes:

    Ethan> this might work on unstable's ssh, but the ssh in stable
    Ethan> will simply deny access if the password is expired.

doesn't seem to be the case here, and it should be PAM not ssh:

snoopy:~# chage bam
Changing the aging information for bam
Enter the new value, or press return for the default

	Minimum Password Age [0]: 
	Maximum Password Age [9999]: 2
	Last Password Change (YYYY-MM-DD) [2001-03-31]: 
	Password Expiration Warning [7]: 
	Password Inactive [-1]: 
	Account Expiration Date (YYYY-MM-DD) [1969-12-31]: 

[502] [snoopy:bam] ~ >ssh snoopy
Enter passphrase for key '/home/bam/.ssh/id_dsa': 
bam@snoopy.apana.org.au's password: 
You are required to change your password immediately (password aged)
Warning: Your password has expired, please change it now
Last login: Sat Apr  7 17:42:28 2001 from snoopy.apana.org.au on pts/4
Linux snoopy 2.4.3 #1 Sat Mar 31 13:50:13 EST 2001 i686 unknown

Most of the programs included with the Debian GNU/Linux system are
freely redistributable; the exact distribution terms for each program
are described in the individual files in /usr/doc/*/copyright

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
No mail.
Changing password for bam
(current) UNIX password: 

with ssh from unstable, are you sure the one from stable doesn't do
this? (I think it is done by PAM not openssh anyway).

Even works with DSA key auth:

[502] [snoopy:bam] ~ >ssh snoopy
Enter passphrase for key '/home/bam/.ssh/id_dsa': 
You are required to change your password immediately (password aged)
Warning: Your password has expired, please change it now
Last login: Sat Apr  7 17:42:53 2001 from snoopy.apana.org.au on pts/4
Linux snoopy 2.4.3 #1 Sat Mar 31 13:50:13 EST 2001 i686 unknown

Most of the programs included with the Debian GNU/Linux system are
freely redistributable; the exact distribution terms for each program
are described in the individual files in /usr/doc/*/copyright

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
No mail.
Changing password for bam
(current) UNIX password: 

and for reference:

snoopy:~# chage bam
Changing the aging information for bam
Enter the new value, or press return for the default

	Minimum Password Age [0]: 
	Maximum Password Age [2]: 
	Last Password Change (YYYY-MM-DD) [2001-03-31]: 
	Password Expiration Warning [7]: 
	Password Inactive [-1]: 1
	Account Expiration Date (YYYY-MM-DD) [1969-12-31]: 

[502] [snoopy:bam] ~ >ssh snoopy
Enter passphrase for key '/home/bam/.ssh/id_dsa': 
bam@snoopy.apana.org.au's password: 
Permission denied, please try again.
bam@snoopy.apana.org.au's password: 
Permission denied, please try again.
bam@snoopy.apana.org.au's password: 
Permission denied (publickey,password).

perhaps that is what you were thinking of?

(also note: all of the above examples the 7 day warning period had
already expired, otherwise it just warns you instead of making you
change it).
-- 
Brian May <bam@debian.org>
Reply to: