How to avoid password expiration for ssh? (475 Views)
Reply
Frequent Advisor
Kirill Cherkashin
Posts: 46
Registered: ‎12-26-2001
Message 1 of 10 (475 Views)

How to avoid password expiration for ssh?

Hi,

I'm using ssh with private/public exchange in automated script for transferring oracle archive logs between two machines. Unfortunately, our security guy urges us to turn password expiration on.
I always reckoned that using key pair exchange is smart way to avoid constant password change and it's especially useful for service accounts. However, I found this message in ssh log:

Disconnecting: Password change required but no TTY available


so, is it possible somehow to avoid password expiration for ssh?
Please use plain text.
Exalted Contributor
Steven E. Protter
Posts: 33,806
Registered: ‎08-15-2002
Message 2 of 10 (475 Views)

Re: How to avoid password expiration for ssh?

In SAM on the target server

Users

modify

Disable password aging.

Of course this will require you to manually change it without remeinders to maintain security.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Please use plain text.
Frequent Advisor
Kirill Cherkashin
Posts: 46
Registered: ‎12-26-2001
Message 3 of 10 (475 Views)

Re: How to avoid password expiration for ssh?

Steven,


1) password expiration should be turn on for this account.
i.e. password expiration should works in standart way for telnet and ftp but ssh and sftp could avoid it.
2) i don't want to make any regular manual password changes at all.
Please use plain text.
Respected Contributor
Vijaya Kumar_3
Posts: 450
Registered: ‎09-29-2003
Message 4 of 10 (475 Views)

Re: How to avoid password expiration for ssh?

No, there is no seperate password expiration available for SSH/SCP.

So there is no other go you can handle this, but you always have an option to change using SAM of modprpw command with your unix administrator.

Thanks
Vijay
Known is a drop, unknown is ocean - visit me at http://vijay.theunixplace.com
Please use plain text.
Honored Contributor
RAC_1
Posts: 5,920
Registered: ‎03-21-2002
Message 5 of 10 (475 Views)

Re: How to avoid password expiration for ssh?

I think you cant do that, ssh is checking account details, and when it sees it is expired, it gives messages and exits.
There is no substitute to HARDWORK
Please use plain text.
Occasional Visitor
Jun Wang_2
Posts: 1
Registered: ‎10-27-2004
Message 6 of 10 (475 Views)

Re: How to avoid password expiration for ssh?

I have exactly the same question.
Please use plain text.
Occasional Visitor
Jane Bell
Posts: 4
Registered: ‎08-18-1997
Message 7 of 10 (475 Views)

Re: How to avoid password expiration for ssh?

I have exactly the opposite problem - accounts that are expired and/or disabled but SSH ignores the status and allows the user to login! Obviously I am concerned that disabled accounts can still login!! We also have AIX servers and they work as you describe (ie they check the password status). As yet Ive not worked out why the aix servers work in the opposite way around to the hp servers - if I do then I will probably have solved your question!

Our hp servers do check the password status if password ( rather than passphrase/key ) authentication is performed.

Running openssh3.8p1 ( built locally )
Please use plain text.
Exalted Contributor
Steven E. Protter
Posts: 33,806
Registered: ‎08-15-2002
Message 8 of 10 (475 Views)

Re: How to avoid password expiration for ssh?

The only way to disable for ssh is to disable for the user. This is a very bad idea and will make you fail a security audit if you have such things done.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Please use plain text.
Occasional Visitor
Jane Bell
Posts: 4
Registered: ‎08-18-1997
Message 9 of 10 (475 Views)

Re: How to avoid password expiration for ssh?

Yep, thats the way it should be - but no one seems to have told our servers - much to my annoyance!

The debugging continues.....
Please use plain text.
Honored Contributor
Sridhar Bhaskarla
Posts: 6,350
Registered: ‎08-15-2001
Message 10 of 10 (475 Views)

Re: How to avoid password expiration for ssh?

Hi Jane,

I fear you might have compiled your openssh without PAM support (means without --with-pam option).

3.8p1 is superceded by 3.8.1p1 now. I suggest you recompile the new version with PAM support and it should obey your password rules.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
Please use plain text.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation