Bug#153456: marked as done (OpenSSH 1:3.4p1 breaks user account expiration)
Your message dated Sat, 06 Mar 2004 14:17:17 -0500
with message-id <E1AzhIT-0002eW-00@newraff.debian.org>
and subject line Bug#153235: fixed in openssh 1:3.8p1-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 18 Jul 2002 15:32:38 +0000
>From icorbett@nax.braverock.com Thu Jul 18 10:32:37 2002
Return-path: <icorbett@nax.braverock.com>
Received: from nax.braverock.com [66.92.142.165] (root)
by master.debian.org with esmtp (Exim 3.12 1 (Debian))
id 17VDGc-0003AX-00; Thu, 18 Jul 2002 10:32:34 -0500
Received: from nax.braverock.com (icorbett@localhost [127.0.0.1])
by nax.braverock.com (8.12.3/8.12.3/Debian -4) with ESMTP id g6IFWUVO025928
(version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=FAIL)
for <submit@bugs.debian.org>; Thu, 18 Jul 2002 10:32:31 -0500
Received: (from icorbett@localhost)
by nax.braverock.com (8.12.3/8.12.3/Debian -4) id g6IFWU1x025927
for submit@bugs.debian.org; Thu, 18 Jul 2002 10:32:30 -0500
From: Ian Corbett <icorbett@fernworks.net>
Date: Thu, 18 Jul 2002 10:32:30 -0500
To: submit@bugs.debian.org
Subject: OpenSSH 1:3.4p1 breaks user account expiration
Message-ID: <20020718153230.GA17504@fernworks.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.3.28i
Delivered-To: submit@bugs.debian.org
Package: ssh 1:3.4p1-2
Version: 3.4p1-2
It seems that with the release of this new version of the OpenSSH
package the normal user expiration process is broken. When a users
account expires (after a certian number of days) or is expired (passwd
-e <username>) the normal behavior WAS to allow login but through the
login command require new password creation before dropping to shell.
With the current release as soon as a user logs in with the correct
password the following errors are displayed. As you can see I attempted
to disable the PrivilegeSeparation feature to no avail though the error
did change.
With UsePrivilegeSeparation yes:
OpenSSH_3.4p1 Debian 1:3.4p1-2, SSH protocols 1.5/2.0, OpenSSL
0x0090604f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be
trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to bar.domain.com [64.81.110.202] port 22.
debug1: Connection established.
debug1: identity file /home/foo/.ssh/identity type -1
debug1: identity file /home/foo/.ssh/id_rsa type -1
debug1: identity file /home/foo/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version
OpenSSH_3.4p1 Debian 1:3.4p1-1
debug1: match: OpenSSH_3.4p1 Debian 1:3.4p1-1 pat OpenSSH*
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 139/256
debug1: bits set: 1623/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'bar.domain.com' is known and matches the RSA host key.
debug1: Found key in /home/foo/.ssh/known_hosts:3
debug1: bits set: 1651/3191
debug1: ssh_rsa_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue: publickey,password
debug1: next auth method to try is publickey
debug1: try privkey: /home/foo/.ssh/identity
debug1: try privkey: /home/foo/.ssh/id_rsa
debug1: try privkey: /home/foo/.ssh/id_dsa
debug1: next auth method to try is password
foo@bar.domain.com's password:
debug1: ssh-userauth2 successful: method password
debug1: channel 0: new [client-session]
debug1: send channel open 0
debug1: Entering interactive session.
debug1: channel_free: channel 0: client-session, nchannels 1
Connection to bar.domain.com closed by remote host.
Connection to bar.domain.com closed.
debug1: Transferred: stdin 0, stdout 0, stderr 97 bytes in 0.0 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 100941.9
debug1: Exit status -1
auth.log:
Jul 17 18:18:12 bar PAM_unix[18858]: expired password for user foo (root
enforced)
Jul 17 18:18:12 bar sshd[18858]: PAM rejected by account
configuration[12]: Authentication token is no longer valid; new one
required.
Jul 17 18:18:12 bar sshd[18858]: Failed password for foo from
32.97.110.142 port 21291 ssh2
Jul 17 18:18:12 bar sshd[18858]: fatal: monitor_read: unsupported
request: 24
With UsePrivilegeSeparation no:
OpenSSH_3.4p1 Debian 1:3.4p1-2, SSH protocols 1.5/2.0, OpenSSL
0x0090604f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be
trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to bar.domain.com [64.81.110.202] port 22.
debug1: Connection established.
debug1: identity file /home/foo/.ssh/identity type -1
debug1: identity file /home/foo/.ssh/id_rsa type -1
debug1: identity file /home/foo/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version
OpenSSH_3.4p1 Debian 1:3.4p1-1
debug1: match: OpenSSH_3.4p1 Debian 1:3.4p1-1 pat OpenSSH*
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.4p1 Debian 1:3.4p1-2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: dh_gen_key: priv key bits set: 131/256
debug1: bits set: 1576/3191
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'bar.domain.com' is known and matches the RSA host key.
debug1: Found key in /home/foo/.ssh/known_hosts:3
debug1: bits set: 1622/3191
debug1: ssh_rsa_verify: signature correct
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: done: ssh_kex2.
debug1: send SSH2_MSG_SERVICE_REQUEST
debug1: service_accept: ssh-userauth
debug1: got SSH2_MSG_SERVICE_ACCEPT
debug1: authentications that can continue: publickey,password
debug1: next auth method to try is publickey
debug1: try privkey: /home/foo/.ssh/identity
debug1: try privkey: /home/foo/.ssh/id_rsa
debug1: try privkey: /home/foo/.ssh/id_dsa
debug1: next auth method to try is password
foo@bar.domain.com's password:
debug1: authentications that can continue: publickey,password
Permission denied, please try again.
foo@bar.domain.com's password:
debug1: authentications that can continue: publickey,password
Permission denied, please try again.
foo@bar.domain.com's password:
debug1: authentications that can continue: publickey,password
debug1: no more auth methods to try
Permission denied (publickey,password).
debug1: Calling cleanup 0x8063a9c(0x0)
auth.log:
Jul 17 18:22:42 bar PAM_unix[18898]: expired password for user foo (root
enforced)
Jul 17 18:22:42 bar sshd[18898]: PAM rejected by account
configuration[12]: Authentication token is no longer valid; new one
required.
Jul 17 18:22:42 bar sshd[18898]: Failed password for foo from
32.97.110.142 port 46356 ssh2
Jul 17 18:22:57 bar PAM_unix[18898]: expired password for user foo (root
enforced)
Jul 17 18:22:57 bar sshd[18898]: PAM rejected by account
configuration[12]: Authentication token is no longer valid; new one
required.
Jul 17 18:22:57 bar sshd[18898]: Failed password for foo from
32.97.110.142 port 46356 ssh2
Jul 17 18:23:49 bar PAM_unix[18898]: expired password for user foo (root
enforced)
Jul 17 18:23:49 bar sshd[18898]: PAM rejected by account
configuration[12]: Authentication token is no longer valid; new one
required.
Jul 17 18:23:49 bar sshd[18898]: Failed password for foo from
32.97.110.142 port 46356 ssh2
Jul 17 18:23:49 bar sshd[18898]: Connection closed by 32.97.110.142
---------------------------------------
Received: (at 153235-close) by bugs.debian.org; 6 Mar 2004 19:23:03 +0000
>From katie@ftp-master.debian.org Sat Mar 06 11:23:03 2004
Return-path: <katie@ftp-master.debian.org>
Received: from newraff.debian.org [208.185.25.31] (mail)
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1AzhO2-0006El-00; Sat, 06 Mar 2004 11:23:03 -0800
Received: from katie by newraff.debian.org with local (Exim 3.35 1 (Debian))
id 1AzhIT-0002eW-00; Sat, 06 Mar 2004 14:17:17 -0500
From: Colin Watson <cjwatson@debian.org>
To: 153235-close@bugs.debian.org
X-Katie: $Revision: 1.44 $
Subject: Bug#153235: fixed in openssh 1:3.8p1-1
Message-Id: <E1AzhIT-0002eW-00@newraff.debian.org>
Sender: Archive Administrator <katie@ftp-master.debian.org>
Date: Sat, 06 Mar 2004 14:17:17 -0500
Delivered-To: 153235-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_05
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-3.0 required=4.0 tests=HAS_BUG_NUMBER autolearn=no
version=2.60-bugs.debian.org_2004_03_05
X-Spam-Level:
Source: openssh
Source-Version: 1:3.8p1-1
We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive:
openssh_3.8p1-1.diff.gz
to pool/main/o/openssh/openssh_3.8p1-1.diff.gz
openssh_3.8p1-1.dsc
to pool/main/o/openssh/openssh_3.8p1-1.dsc
openssh_3.8p1.orig.tar.gz
to pool/main/o/openssh/openssh_3.8p1.orig.tar.gz
ssh-askpass-gnome_3.8p1-1_powerpc.deb
to pool/main/o/openssh/ssh-askpass-gnome_3.8p1-1_powerpc.deb
ssh_3.8p1-1_powerpc.deb
to pool/main/o/openssh/ssh_3.8p1-1_powerpc.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 153235@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 6 Mar 2004 18:43:44 +0000
Source: openssh
Binary: ssh-askpass-gnome ssh
Architecture: source powerpc
Version: 1:3.8p1-1
Distribution: unstable
Urgency: low
Maintainer: Matthew Vernon <matthew@debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Description:
ssh - Secure rlogin/rsh/rcp replacement (OpenSSH)
ssh-askpass-gnome - under X, asks user for a passphrase for ssh-add
Closes: 132681 134589 150968 153235 157078 171673 181869 191131 224457 228838 232281 232843 234777
Changes:
openssh (1:3.8p1-1) unstable; urgency=low
.
* New upstream release (closes: #232281):
- New PAM implementation based on that in FreeBSD. This runs PAM session
modules before dropping privileges (closes: #132681, #150968).
- Since PAM session modules are run as root, we can turn pam_limits back
on by default, and it no longer spits out "Operation not permitted" to
syslog (closes: #171673).
- Password expiry works again (closes: #153235).
- 'ssh -q' suppresses login banner (closes: #134589).
- sshd doesn't lie to PAM about invalid usernames (closes: #157078).
- ssh-add prints key comment on each prompt (closes: #181869).
- Punctuation formatting fixed in man pages (closes: #191131).
- EnableSSHKeysign documented in ssh_config(5) (closes: #224457).
* Add 'UsePAM yes' to /etc/ssh/sshd_config on upgrade from versions older
than this, to maintain the standard Debian sshd configuration.
* Comment out PAMAuthenticationViaKbdInt and RhostsAuthentication in
sshd_config on upgrade. Neither option is supported any more.
* Privilege separation and PAM are now properly supported together, so
remove both debconf questions related to them and simply set it
unconditionally in newly generated sshd_config files (closes: #228838).
* ServerAliveInterval implemented upstream, so ProtocolKeepAlives is now a
compatibility alias. The semantics differ slightly, though; see
ssh_config(5) for details.
* Implement SSH1 support for ServerAliveInterval using SSH_MSG_IGNORE. As
documented in ssh_config(5), it's not as good as the SSH2 version.
* Remove -fno-builtin-log, -DHAVE_MMAP_ANON_SHARED, and
-D__FILE_OFFSET_BITS=64 compiler options, which are no longer necessary.
* Update config.guess and config.sub from autotools-dev 20040105.1.
* Darren Tucker:
- Reset signal status when starting pam auth thread, prevent hanging
during PAM keyboard-interactive authentications.
- Fix a non-security-critical segfault in PAM authentication.
* Add debconf template translations:
- Greek (thanks, Konstantinos Margaritis; closes: #232843).
- Italian (thanks, Renato Gini; closes: #234777).
Files:
3106ee4ac61541c173fb4483e7b79833 842 net standard openssh_3.8p1-1.dsc
7861a4c0841ab69a6eec5c747daff6fb 826588 net standard openssh_3.8p1.orig.tar.gz
70a09c4a493d91eae0aa9e1c20f8628d 122446 net standard openssh_3.8p1-1.diff.gz
4351d37420110a347fb7bcab469aa8f3 759138 net standard ssh_3.8p1-1_powerpc.deb
f5c562d17e71af297bd60a085d3f6027 55824 gnome optional ssh-askpass-gnome_3.8p1-1_powerpc.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Colin Watson <cjwatson@debian.org> -- Debian developer
iD8DBQFASiLO9t0zAhD6TNERAjCPAJ9s58tD+O8ibS/5kDttlKjPLJ85EACfaTmb
DRVK6U+bCoG9e2U1PkLPf7g=
=yeHJ
-----END PGP SIGNATURE-----
Reply to: