https://community.hpe.com/t5/operating-system-hp-ux/openssh-and-tcb/m-p/3016960#M750554 Hi Karen,<BR /><BR />Unfortunately this is the same situation on all Unix platforms as SSH is written to be as generic and portable as possible. In order to generic the authors could not easily tie SSH into each OS's password ageing system.<BR /><BR />You also have the same situation if you use keys to login, and there's nothing to stop you choosing a passphrase of <ENTER>/Nothing, and there is no history management or timeout.<BR /><BR />The only solution I can offer is to only allow users to SSH to other unprivileged users, and then "su". You can then enforce the password ageing on those accounts, and you also have a record of who used them, and when.<BR /><BR />Andrew</ENTER> Tue, 08 Jul 2003 04:49:06 GMT Andrew Cowan 2003-07-08T04:49:06Z https://community.hpe.com/t5/operating-system-hp-ux/openssh-and-tcb/m-p/3016959#M750553 On hpux 11.00 server with TCB enabled and openssh 2.5.1p1 installed, users will be forced to change password as set up when they login using telnet. But this is skipped/by-passed when they use SSH. <BR /><BR />Any idea why and how to prevent it?<BR /><BR />Thanks!<BR /><BR />Karen Mon, 07 Jul 2003 17:09:14 GMT https://community.hpe.com/t5/operating-system-hp-ux/openssh-and-tcb/m-p/3016959#M750553 Karen Shen_1 2003-07-07T17:09:14Z https://community.hpe.com/t5/operating-system-hp-ux/openssh-and-tcb/m-p/3016960#M750554 Hi Karen,<BR /><BR />Unfortunately this is the same situation on all Unix platforms as SSH is written to be as generic and portable as possible. In order to generic the authors could not easily tie SSH into each OS's password ageing system.<BR /><BR />You also have the same situation if you use keys to login, and there's nothing to stop you choosing a passphrase of <ENTER>/Nothing, and there is no history management or timeout.<BR /><BR />The only solution I can offer is to only allow users to SSH to other unprivileged users, and then "su". You can then enforce the password ageing on those accounts, and you also have a record of who used them, and when.<BR /><BR />Andrew</ENTER> Tue, 08 Jul 2003 04:49:06 GMT https://community.hpe.com/t5/operating-system-hp-ux/openssh-and-tcb/m-p/3016960#M750554 Andrew Cowan 2003-07-08T04:49:06Z https://community.hpe.com/t5/operating-system-hp-ux/openssh-and-tcb/m-p/3016961#M750555 just hit submit once and wait<BR /><BR />for some reason it comes back almost immediately but it is not done Tue, 08 Jul 2003 12:53:04 GMT https://community.hpe.com/t5/operating-system-hp-ux/openssh-and-tcb/m-p/3016961#M750555 John Bolene 2003-07-08T12:53:04Z https://community.hpe.com/t5/operating-system-hp-ux/openssh-and-tcb/m-p/3016962#M750556 I think this has been added as a "feature" in the latest openssh release..<BR /><BR />GooD LUck Tue, 08 Jul 2003 20:50:53 GMT https://community.hpe.com/t5/operating-system-hp-ux/openssh-and-tcb/m-p/3016962#M750556 D. Jackson_1 2003-07-08T20:50:53Z https://community.hpe.com/t5/operating-system-hp-ux/openssh-and-tcb/m-p/3016963#M750557 Hi John,<BR /><BR />Thanks for sorting out my duplicate posts. Sometimes when I press submit I can wait for 20 minutes and then get a "page not found" error, and perhaps nothing is posted. Here at the bank we have an E3 connection so it should (and 90% of the time does) happen pretty-much instantly, however every now and again it seems to go pear-shaped.<BR /> Wed, 09 Jul 2003 03:54:36 GMT https://community.hpe.com/t5/operating-system-hp-ux/openssh-and-tcb/m-p/3016963#M750557 Andrew Cowan 2003-07-09T03:54:36Z https://community.hpe.com/t5/operating-system-hp-ux/openssh-and-tcb/m-p/3016964#M750558 Hi,<BR /><BR />Your version of openssh is extremely old. You should upgrade it to the latest which fixes quite a number of security issues since openssh 2.5.1p1.<BR /><BR />As for your question, offhand, I believe you can workaround this limitation by writing scripts to interface your system login scripts with /tcb files. With a combination of trap signals used in your script, you should be able to enforce password changes.<BR /><BR />Hope this helps. Regards.<BR /><BR />Steven Sim Kok Leong Sat, 12 Jul 2003 01:54:48 GMT https://community.hpe.com/t5/operating-system-hp-ux/openssh-and-tcb/m-p/3016964#M750558 Steven Sim Kok Leong 2003-07-12T01:54:48Z