Operating System - HP-UX
1748045 Members
5001 Online
108757 Solutions
New Discussion юеВ

Re: How to avoid password expiration for ssh?

 
Kirill Cherkashin
Frequent Advisor

How to avoid password expiration for ssh?

Hi,

I'm using ssh with private/public exchange in automated script for transferring oracle archive logs between two machines. Unfortunately, our security guy urges us to turn password expiration on.
I always reckoned that using key pair exchange is smart way to avoid constant password change and it's especially useful for service accounts. However, I found this message in ssh log:

Disconnecting: Password change required but no TTY available


so, is it possible somehow to avoid password expiration for ssh?
9 REPLIES 9
Steven E. Protter
Exalted Contributor

Re: How to avoid password expiration for ssh?

In SAM on the target server

Users

modify

Disable password aging.

Of course this will require you to manually change it without remeinders to maintain security.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Kirill Cherkashin
Frequent Advisor

Re: How to avoid password expiration for ssh?

Steven,


1) password expiration should be turn on for this account.
i.e. password expiration should works in standart way for telnet and ftp but ssh and sftp could avoid it.
2) i don't want to make any regular manual password changes at all.
Vijaya Kumar_3
Respected Contributor

Re: How to avoid password expiration for ssh?

No, there is no seperate password expiration available for SSH/SCP.

So there is no other go you can handle this, but you always have an option to change using SAM of modprpw command with your unix administrator.

Thanks
Vijay
Known is a drop, unknown is ocean - visit me at http://vijay.theunixplace.com
RAC_1
Honored Contributor

Re: How to avoid password expiration for ssh?

I think you cant do that, ssh is checking account details, and when it sees it is expired, it gives messages and exits.
There is no substitute to HARDWORK
Jun Wang_2
New Member

Re: How to avoid password expiration for ssh?

I have exactly the same question.
Jane Bell
New Member

Re: How to avoid password expiration for ssh?

I have exactly the opposite problem - accounts that are expired and/or disabled but SSH ignores the status and allows the user to login! Obviously I am concerned that disabled accounts can still login!! We also have AIX servers and they work as you describe (ie they check the password status). As yet Ive not worked out why the aix servers work in the opposite way around to the hp servers - if I do then I will probably have solved your question!

Our hp servers do check the password status if password ( rather than passphrase/key ) authentication is performed.

Running openssh3.8p1 ( built locally )
Steven E. Protter
Exalted Contributor

Re: How to avoid password expiration for ssh?

The only way to disable for ssh is to disable for the user. This is a very bad idea and will make you fail a security audit if you have such things done.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Jane Bell
New Member

Re: How to avoid password expiration for ssh?

Yep, thats the way it should be - but no one seems to have told our servers - much to my annoyance!

The debugging continues.....
Sridhar Bhaskarla
Honored Contributor

Re: How to avoid password expiration for ssh?

Hi Jane,

I fear you might have compiled your openssh without PAM support (means without --with-pam option).

3.8p1 is superceded by 3.8.1p1 now. I suggest you recompile the new version with PAM support and it should obey your password rules.

-Sri
You may be disappointed if you fail, but you are doomed if you don't try