Bug 2795 - Login denied for expired passwords, no password change prompt offered
Summary: Login denied for expired passwords, no password change prompt offered
Status: CLOSED WONTFIX
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: sshd (show other bugs)
Version: 7.6p1
Hardware: Other Linux
: P5 enhancement
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-10-19 01:02 AEDT by ab231
Modified: 2021-04-23 14:55 AEST (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description ab231 2017-10-19 01:02:25 AEDT 
If user's password has/was expired (e.g. with passwd --expire username) - sftp will fail to login to the ssh server, saying:
Connection closed

If the same user tries to connect using ssh - it prompts him to change the expired password. I think sftp should behave the same way and prompt user to change the expired password.

Thank you!
Comment 1 Darren Tucker 2017-10-19 09:26:20 AEDT 
The mechanism sshd currently uses to perform the password change is to exec /bin/passwd on the tty of the logged in user.  An sftp conection has no pty on the server side, so that's not possible in that case.

The reasons it's done that way are complicated, I will elaborate over on bug #2796.
Comment 2 Darren Tucker 2017-10-19 09:31:01 AEDT 
That said, there is one existing mechanism that should work in that case UsePAM=yes plus ChallengeResponseAuthentication=yes.  That will call pam_chauthtok() with a conversation function that can interact with the ssh clinet via the keyboard-interactive SSH auth method.
Comment 3 Darren Tucker 2019-01-24 14:43:37 AEDT 
There's not much we can do for this specific case other than keyboard-interactive/pam, which already exists.  I'm closing this bug but I'll keep #2796 open in case a suitable interface does become available.
Comment 4 Damien Miller 2021-04-23 14:55:52 AEST 
closing resolved bugs as of 8.6p1 release