Bug 2795

Summary: Login denied for expired passwords, no password change prompt offered
Product: Portable OpenSSH Reporter: ab231 <z.pekar>
Component: sshdAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED WONTFIX    
Severity: enhancement CC: dtucker, z.pekar
Priority: P5    
Version: 7.6p1   
Hardware: Other   
OS: Linux   

Description ab231 2017-10-19 01:02:25 AEDT 
If user's password has/was expired (e.g. with passwd --expire username) - sftp will fail to login to the ssh server, saying:
Connection closed

If the same user tries to connect using ssh - it prompts him to change the expired password. I think sftp should behave the same way and prompt user to change the expired password.

Thank you!
Comment 1 Darren Tucker 2017-10-19 09:26:20 AEDT 
The mechanism sshd currently uses to perform the password change is to exec /bin/passwd on the tty of the logged in user.  An sftp conection has no pty on the server side, so that's not possible in that case.

The reasons it's done that way are complicated, I will elaborate over on bug #2796.
Comment 2 Darren Tucker 2017-10-19 09:31:01 AEDT 
That said, there is one existing mechanism that should work in that case UsePAM=yes plus ChallengeResponseAuthentication=yes.  That will call pam_chauthtok() with a conversation function that can interact with the ssh clinet via the keyboard-interactive SSH auth method.
Comment 3 Darren Tucker 2019-01-24 14:43:37 AEDT 
There's not much we can do for this specific case other than keyboard-interactive/pam, which already exists.  I'm closing this bug but I'll keep #2796 open in case a suitable interface does become available.
Comment 4 Damien Miller 2021-04-23 14:55:52 AEST 
closing resolved bugs as of 8.6p1 release