Re: Security trough paranoia
>>>>> "Ethan" == Ethan Benson <erbenson@alaska.net> writes:
Ethan> this might work on unstable's ssh, but the ssh in stable
Ethan> will simply deny access if the password is expired.
doesn't seem to be the case here, and it should be PAM not ssh:
snoopy:~# chage bam
Changing the aging information for bam
Enter the new value, or press return for the default
Minimum Password Age [0]:
Maximum Password Age [9999]: 2
Last Password Change (YYYY-MM-DD) [2001-03-31]:
Password Expiration Warning [7]:
Password Inactive [-1]:
Account Expiration Date (YYYY-MM-DD) [1969-12-31]:
[502] [snoopy:bam] ~ >ssh snoopy
Enter passphrase for key '/home/bam/.ssh/id_dsa':
bam@snoopy.apana.org.au's password:
You are required to change your password immediately (password aged)
Warning: Your password has expired, please change it now
Last login: Sat Apr 7 17:42:28 2001 from snoopy.apana.org.au on pts/4
Linux snoopy 2.4.3 #1 Sat Mar 31 13:50:13 EST 2001 i686 unknown
Most of the programs included with the Debian GNU/Linux system are
freely redistributable; the exact distribution terms for each program
are described in the individual files in /usr/doc/*/copyright
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
No mail.
Changing password for bam
(current) UNIX password:
with ssh from unstable, are you sure the one from stable doesn't do
this? (I think it is done by PAM not openssh anyway).
Even works with DSA key auth:
[502] [snoopy:bam] ~ >ssh snoopy
Enter passphrase for key '/home/bam/.ssh/id_dsa':
You are required to change your password immediately (password aged)
Warning: Your password has expired, please change it now
Last login: Sat Apr 7 17:42:53 2001 from snoopy.apana.org.au on pts/4
Linux snoopy 2.4.3 #1 Sat Mar 31 13:50:13 EST 2001 i686 unknown
Most of the programs included with the Debian GNU/Linux system are
freely redistributable; the exact distribution terms for each program
are described in the individual files in /usr/doc/*/copyright
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
No mail.
Changing password for bam
(current) UNIX password:
and for reference:
snoopy:~# chage bam
Changing the aging information for bam
Enter the new value, or press return for the default
Minimum Password Age [0]:
Maximum Password Age [2]:
Last Password Change (YYYY-MM-DD) [2001-03-31]:
Password Expiration Warning [7]:
Password Inactive [-1]: 1
Account Expiration Date (YYYY-MM-DD) [1969-12-31]:
[502] [snoopy:bam] ~ >ssh snoopy
Enter passphrase for key '/home/bam/.ssh/id_dsa':
bam@snoopy.apana.org.au's password:
Permission denied, please try again.
bam@snoopy.apana.org.au's password:
Permission denied, please try again.
bam@snoopy.apana.org.au's password:
Permission denied (publickey,password).
perhaps that is what you were thinking of?
(also note: all of the above examples the 7 day warning period had
already expired, otherwise it just warns you instead of making you
change it).
--
Brian May <bam@debian.org>
Reply to: