From owner-freebsd-security  Wed Jul 25  1:20: 7 2001
Delivered-To: freebsd-security@freebsd.org
Received: from giganda.komkon.org (giganda.komkon.org [209.125.17.66])
	by hub.freebsd.org (Postfix) with ESMTP id 9BEA337B401
	for <security@freebsd.org>; Wed, 25 Jul 2001 01:20:01 -0700 (PDT)
	(envelope-from str@giganda.komkon.org)
Received: (from str@localhost)
	by giganda.komkon.org (8.11.3/8.11.3) id f6P8Jt715529
	for security@freebsd.org; Wed, 25 Jul 2001 04:19:55 -0400 (EDT)
	(envelope-from str)
Date: Wed, 25 Jul 2001 04:19:55 -0400 (EDT)
From: Igor Roshchin <str@giganda.komkon.org>
Message-Id: <200107250819.f6P8Jt715529@giganda.komkon.org>
To: security@freebsd.org
Subject: sshd, pam and password expiration
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


I ran into the following problem:
FreeBSD 4.3-RELEASE box.
If a user has the password expired (non-zero corresponding field
in /etc/master.passwd), then upon login via ssh
(using a ssh2 client) the following happens:
depending on the client:

Unix ssh2 client: (e.g. SSH Secure Shell 2.3.0 (non-commercial version))
Upon login, the following message appears:
Authentication successful.
Warning: Your password has expired, please change it now
And then the connection freezes up, while the log is filled with thousands
per second messages:
Jul 25 04:03:51 <auth.info> HOST sshd[15221]: PAM pam_chauthtok failed[6]: Permission denied
Jul 25 04:03:51 <auth.err> HOST giganda sshd[15221]: no modules loaded for `sshd' service

/etc/pam.conf has the following lines relevant to ssh:
sshd    auth    sufficient      pam_skey.so
sshd    auth    required        pam_unix.so                     try_first_pass
sshd    session required        pam_permit.so
csshd   auth    required        pam_skey.so

If  a Windows-based ssh.com's ssh is used the user gets the message:
Server responded "No further authentication methods available".
and nothing else happens.

There are no problems if the connection is via ssh1 client,
or if the password is not expired.

Questions:
1. What is the reason and what is misconfigured ?
2. Where can I read a nice description of pam authentication ?

Thanks,

Igor


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message