There appears to be a problem with SSH on AIX 5.1 on systems running secldap client (secldapclntd): ssh ignores the maxage attribute specified for the SYSTEM=LDAP users in the ldap directory. Instead ssh is looking for the maxage attribute in the /etc/security/user and the 'lastupdate' in the /etc/security/passwd. If the default stanza in the /etc/security/user does not contain maxage the LDAP user never gets a prompt to change the expired password. If the default stanza does contain the maxage then the user always (even after changing the password successfully) gets prompted to change the password (LDAP users do not have stanzas in the /etc/security/passwd with the lastupdate attribute).
All sshd does is call the system-supplied functions (setauthdb, passwdexpired), it doesn't go looking into /etc/security itself. Does telnetd do what you expect?
Thanks for fast response. telnetd does prompt for password change. I will test passwdexpired function to see if it returns 0 as soon as I get back in the office; it seems it's looking at wrong registry. Also if set the UseLogin to yes sshd appears to work fine (I wonder if the 'login' uses passwdexpired or something else like loginrestrictions?).
If you run the server in debug mode ("/path/to/sshd -ddd") you can see what arguments are given to setauthdb and what the results of passwdexpired are. Most of the AIX-specific code (including those bits) is in openbsd-compat/port-aix.c. Logging in via telnet is going to exec /usr/bin/login anyway, so it's not surprising that sshd with UseLogin works. What we need to figure out is what login is does differently in this case...
Oh, and please attach the debug output from the server to this bug (use "Create a New Attachment").
Created attachment 637 [details] Debug output from sshd -ddd passwdexpired is returning 1 for a password that is only 4 days old; maxage set to 13 weeks?!
From the debugging: debug1: match: OpenSSH_3.7.1p2-pwexp26_krb5 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.7.1p2-pwexp26_krb5 debug1: Failed dlopen: /usr/krb5/lib/libkrb5.a(libkrb5.a.so): A file or directory in the path name does not exist. That looks like the IBM-supplied package (which is modified). It's not the software as supplied by the OpenSSH team. (It's not the version you put in the bug report either). You need to open a PMR against the IBM OpenSSH package. Feel free to reopen this bug if you can reproduce the error with the vanilla 3.8.1p1 source distribution.
Created attachment 638 [details] test of passwdexpired() alone the attached program returns this: password not expired passwdexpired() returened 0 if I set time forward 13 weeks it returnes this: # /tmp/p password expired passwdexpired() returened 1 Does this mean that aix_setauthdb is not setting the registry correctly? regards Vasiliy
Just recompiled 3.8.1p1 and the issue does not exist. Thank you for your help.
Mass move of bugs RESOLVED->CLOSED following the release of openssh-5.5p1