2

I have a Ubuntu 8.10 build with OpenSSH version 5.1p1 running. I create a new user account, set the password, then expire it using the following command:

chage -d 0 username

I want to force the user to change their expired password on first login.

When the user starts a new PuTTY SSH 2 connection, they enter their username and the correct password. However, instead of being prompted to change the expired password, the session is closed with the following PuTTY fatal error:

"Server unexpectedly closed network connection"

To investigate further, I started a new sshd in debug mode on a different port using the following command:

/usr/sbin/sshd -ddde -p 1022

Then I attempt to login on this new SSH port. Here is my output:

debug1: userauth-request for user username service ssh-connection method password
debug1: attempt 1 failures 0
debug2: input_userauth_request: try method password
debug3: mm_auth_password entering
debug3: mm_request_send entering: type 11
debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
debug3: mm_request_receive_expect entering: type 12
debug3: mm_request_receive entering
debug3: monitor_read: checking request 11
debug3: PAM: sshpam_passwd_conv called with 1 messages
debug1: PAM: password authentication accepted for username
debug3: mm_answer_authpassword: sending result 1
debug3: mm_request_send entering: type 12
debug3: mm_request_receive_expect entering: type 49
debug3: mm_request_receive entering
debug3: mm_auth_password: user authenticated
debug3: mm_do_pam_account entering
debug3: mm_request_send entering: type 49
debug3: mm_request_receive_expect entering: type 50
debug3: mm_request_receive entering
debug1: do_pam_account: called
debug3: PAM: sshpam_passwd_conv called with 1 messages
debug3: PAM: do_pam_account pam_acct_mgmt = 7 (Authentication failure)
debug3: mm_request_send entering: type 50
Failed password for username from xxx.xxx.xxx.xxx port 2044 ssh2
debug3: mm_request_receive entering
debug3: mm_do_pam_account returning 0
debug1: userauth_send_banner: sent
Access denied for user username by PAM account configuration
debug1: do_cleanup
debug3: PAM: sshpam_thread_cleanup entering
debug1: do_cleanup
debug1: PAM: cleanup
debug3: PAM: sshpam_thread_cleanup entering

It seems like I am not receiving the correct message from pam_acct_mgmt. Am I not expiring the password the correct way? How can I resolve this issue? Thanks!

1 Answers1

1

You could use just passwd -e username. The command chage -d 0 username sets the last login to January 1'st 1970.

pyhimys
  • 1,267
  • 10
  • 10
  • That did not work. I set the password, then did "passwd -S username". I verified the account is active. I then expired the password as suggested. Both "chage -d 0 username" and "passwd -e username" give the same result. Anyone else have other suggestions? –  Aug 06 '09 at 22:37
  • And you're sure that you don't have expiry date set for the user? – pyhimys Aug 12 '09 at 05:26