Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Secure-Shell
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Password Ageing

from [Darren Tucker] Network Security [Permanent Link]
Subject: Re: Password Ageing
Date: Thu, 25 Aug 2005 10:20:48 +1000 
Bob Rasmussen wrote:

On Tue, 23 Aug 2005, Baker, Darryl wrote:

Our corporate security policy requires us to turn on password ageing. I'm
trying to figure out what the effects are to openssh users. This is on
Solaris 8 & 9 with openssh 3.9p1.

I have several questions:


Answers from memory.  This has changed quite a bit over the last couple
of years so some details may vary with versions:


     1) Will ssh users ever see the warnings about their password
approaching expiration?


With PAM enabled: yes.  With PAM disabled: for password authentications
only.


     2) If the password has expired will they still be able to log in:
             a) using a password?


Yes, but it will force them to change it.


             b) using a key?


With PAM enabled: it will force them to change it.  Without, it will
just permit the login.


     3) Would UseLogin improve any of this?


I don't think so, but I've not tried it.


     4) What happens with key only logins with UseLogin turned on?


UseLogin is used the same way for pubkey and password logins so I don't
think it would change anything (but again, I've not tried it).


I can give some partial information. The SSH protocol as defined includes
procedures for a) the server notifying the client that a password has
elapsed;


Specifically: the SSH v2 protocol does.  If you're referring to
PASSWD_CHANGEREQ then OpenSSH doesn't implement that.  If you're
referring to USERAUTH_BANNER, then OpenSSH does use that if PAM's
account checks failed (eg password expired too long).


and b) the client pushing a new password to the server. Note that
b) could be done at any time, not only in response to a).


You're referring to the "change" flag is password authentication?  No
version of OpenSSH implements that.

It does implement pam_chauthtok() via keyboard-interactive and the
session when privsep=no, and by running /usr/bin/passwd for other cases,
both with and without PAM.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Ssh hangs after authentication, Darren Tucker
Next by Date:  Re: Password Ageing, Markus Friedl
Previous by Thread:  Re: Password Ageing, Bob Rasmussen
Next by Thread:  Re: Password Ageing, Markus Friedl
Indexes:  [Date] [Thread] [Top] [All Lists]