There seems to be incomplete code in the SSH daemon in both versions 1.2.27 and 2.0.11 (only tested). The bug simply allows users who with expired accounts (in /etc/shadow) to continue to login even though other such services such as ftp and telnet deny access. Here is the log using 1.2.27 (but the same happens with 2.0.11). [root@epicenter /etc]# chage -l lamer Minimum: 3 Maximum: 30 Warning: 5 Inactive: -1 Last Change: Jan 01, 1999 Password Expires: Jan 31, 1999 Password Inactive: Never Account Expires: Jan 22, 1999 [root@epicenter /etc]# date Sat Jan 23 13:57:51 PST 1999 [root@epicenter /etc]# telnet localhost Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. login: lamer Password: Your account has expired. Please contact the system administrator. Connection closed by foreign host. [root@epicenter /etc]# ssh1 -l lamer localhost lamerat_private's password: No mail. (lamer@epicenter) lamer> ....... Now I wanted to try whether the account expiration worked using SSH, and it does. If a user's password has expired, then SSH will prompt following the login for the user to enter a new password and disconnect them if they fail to (like a telnet would). I have reported this problem to the SSH bug e-mail address about 2 weeks ago with no response. Current System Configuration: Linux 2.0.36 Shadow Utilities 980724 SSH 1.2.27 and 2.0.11 (both daemons) Any solutions (patch?) to this problem would be appreciated. Currently I just run a shell script to change the user's shell to deny them, but this shouldn't be necessary since this is one of the listed features of the Shadow Utilities. Thanks. Raymond T Sundland
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:30:00 PDT