Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

SSH and expired passwords

Piet Timmers_1
Frequent Advisor

SSH and expired passwords

During some tests I modify my OpenVMS password using authorize to new one, which is than pre-expired. This is normally not a problem, you logging and you must change your password.

But now, I use SSH and I cannot login anymore, I keep getting the message: access denied.

Is there a way to solve this problem?

Greetings,

Piet
9 REPLIES
Brad McCusker
Respected Contributor

Re: SSH and expired passwords

Hello Piet,

You've not told us what version of VMS, TCP/IP, TCPIP vendor, etc. But, I will take a shot at answering, and I will assume latest versions.

I think you probably need to set the parameter AllowNonvmsLoginWithExpiredPw.

From the SSH Guide:

AllowNonvmsLoginWithExpiredPw

Allowed values: yes, no

Default: no

Description: Controls behavior when a different SSH client implemention attempts to establish an SSH connection to an OpenVMS server account with an expired password. The password change option is implemented for OpenVMS-to-OpenVMS connections only. The value yes allows clients to connect with the following warning message and sets the pwd_expired flag in the user's SYSUAF record: WARNING - Your password has expired; update immediately with SET PASSWORD! The value no rejects the login. The SSH client implementation must support the CHANGEREQ mechanism (message type 60) to update passwords.


That gets you part way there. Next is this from the V5.6 release notes:


4.14.1 SSH Server Does Not Allow Password Change

Problem:
The SSH server does not support password change requests for non-VMS clients
when account passwords have expired.

Solution:
If the SSH configuration option AllowNonvmsLoginWith ExpiredPwd is set to "yes" and the password has expired, the server sends a request to the client to prompt the user for a new password. The user must change the password, or the account will be locked out, and the next attempt to log in will fail.

However, if the OpenVMS account has the DisForce_Pwd_Change flag set in the SYSUAF, the server allows the user to log in, displaying the following message:

WARNING - Your password has expired; update immediately with SET PASSWORD!

The DisForce_Pwd_Change flag must be applied to each OpenVMS account individually.

The default setting for the AllowNonvmsLoginWith ExpiredPwd option has been changed to "yes." If the AllowNonvmsLoginWithExpiredPwd option is set to "no," the server does not allow password authentication for non-OpenVMS clients when the password has expired. The user does not have the option to change the password. For more information, refer to Section 5.2.

END of Release Note.

FWIW, I am very certain that the release note is in error - the default has NOT been changed to "yes", it is still "no".

So, in summary, try setting that parameter.





Brad McCusker
Software Concepts International
Brad McCusker
Respected Contributor

Re: SSH and expired passwords

One more thing...

The parameter is set in the file SSHD2_CONFIG. - the server config file.

Brad McCusker
Software Concepts International
www.sciinc.com
Brad McCusker
Software Concepts International
Jon Pinkley
Honored Contributor

Re: SSH and expired passwords

Here are some previous threads discussing SSH and pre-expired passwords.

Problem with ssh and preexpired password

http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=849798

Automatically set PWD_EXPIRED Flag

http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=1164674

Problem with the pre-expired flag

http://forums11.itrc.hp.com/service/forums/questionanswer.do?threadId=816811

I really dislike setting the DISFORCE_PWD_CHANGE flag, since it changes the password exired flag when you log in after the password expiration time has passed, and once that flag is set, all login attempts will fail, including batch jobs. The point being that there is a window of time after the login, but before the password is reset, that batch jobs will fail, and I find that to be unacceptable.

Jon
it depends
Piet Timmers_1
Frequent Advisor

Re: SSH and expired passwords

Brad,

When setting AllowNonvmsLoginWithExpiredPwd to yes I get the following inlog information:


warning: Unrecognized configuration parameter 'AllowNonvmsLoginWithExpiredPwd'.
warning: Unrecognized configuration parameter 'AllowNonvmsLoginWithPreExpiredPwd
'.
warning: Failed to parse some variables from config file '/etc/ssh2/ssh2_config'
.
warning:

******************

You may have a old style configuration file. Please follow the
instructions in the release notes to use the new configuration
files.

******************

We are using:

$ tcpip sh ver

HP TCP/IP Services for OpenVMS Industry Standard 64 Version V5.6 - ECO 1
on an HP rx6600 (1.59GHz/9.0MB) running OpenVMS V8.3

Greetings,

Piet
Piet Timmers_1
Frequent Advisor

Re: SSH and expired passwords

Sorry, I was to fast (dit not read very well)
When changing the file SSHD2_CONFIG.; (and not SSH2_CONFIG.;) is works as expected.

I still have a strange behaviour using reflection for unix and openvms.

When starting a session using "secure shell" it works. When creating a second session from the same PC to the same server I get:



I both sessions, so my already exesting session is also closed.

Greetings,

Piet
EdgarZamora_1
Respected Contributor

Re: SSH and expired passwords

FYI,

I had tested a couple of the commercial terminal emulators a while back. I was able to get Reflections to work with the expired passwords (in other words, I got Reflections to display a window asking for a new password). I wasn't able to get Smarterm to work (just get access denied). We even tried working with Esker on this but to no avail. I didn't test any other products.
Ruud Dijt
Advisor

Re: SSH and expired passwords

Piet, hi, you did not specify which version of reflection You use; you need at least reflection version 13. That solves a lot of ssh problems.
EdgarZamora_1
Respected Contributor

Re: SSH and expired passwords

Just for completeness, and to update my previous post... the new version of Smarterm, Smarterm version 13 (aka Smarterm 2009) ssh works properly now with expired passwords. It will prompt you to change your password (instead of just denying access as the previous versions did).
Richard W Hunt
Valued Contributor

Re: SSH and expired passwords

Piet, regarding losing the sessions:

Don't know how to classify this; as feature, bug, or outright incorrect portage of the s/w, but in Reflections, there is a checkbox you need to look at - and uncheck if needed.

From a non-connected Reflections session, I have to use

Connection >> Connection Setup >> Security (a button at the bottom left of the setup box) >> General (tab on the security box)

Then near the bottom of that pane, UNCHECK the box that says "Reuse existing connection if available" and save the configuration. NOW try to make two connections. Should work a LOT better.

I have no idea what parameter on the server side would allow this to work better, but on our system, the above works just fine.


Sr. Systems Janitor