Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Secure-Shell
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Password Ageing

from [Bob Rasmussen] Network Security [Permanent Link]
Subject: Re: Password Ageing
Date: Wed, 24 Aug 2005 08:42:24 -0700 (PDT) 
On Tue, 23 Aug 2005, Baker, Darryl wrote:


Our corporate security policy requires us to turn on password ageing. I'm
trying to figure out what the effects are to openssh users. This is on
Solaris 8 & 9 with openssh 3.9p1.

I have several questions:
      1) Will ssh users ever see the warnings about their password
approaching expiration?
      2) If the password has expired will they still be able to log in:
              a) using a password?
              b) using a key?
      3) Would UseLogin improve any of this?
      4) What happens with key only logins with UseLogin turned on?


I can give some partial information. The SSH protocol as defined includes
procedures for a) the server notifying the client that a password has
elapsed; and b) the client pushing a new password to the server. Note that
b) could be done at any time, not only in response to a).

I am fairly sure that OpenSSH 3.9 does not implement these procedures.
Version 4 may have one or both.

I can research this further in the actual source if that would be useful -
contact me off-list.

Regards,
....Bob Rasmussen,   President,   Rasmussen Software, Inc.

personal e-mail: ras@anzio.com
 company e-mail: rsi@anzio.com
          voice: (US) 503-624-0360 (9:00-6:00 Pacific Time)
            fax: (US) 503-624-0760
            web: http://www.anzio.com
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Ssh hangs after authentication, Adam Kerrison
Next by Date:  Re: Ssh hangs after authentication, Darren Tucker
Previous by Thread:  Password Ageing, Baker, Darryl
Next by Thread:  Re: Password Ageing, Darren Tucker
Indexes:  [Date] [Thread] [Top] [All Lists]