Here's the issue. Currently when I run passwd -f "username" on any account, when I try to login with said account I don't get prompted to change my password I just keep getting prompted to input a password. (Of course this works just fine with telnet)Is there something i need to add to /etc/pam.conf to make this work?
What version of Solaris? Solaris 10 comes with ssh, are you using that? If not, what version of openssh? Did you get it from blastwave of sunfreeware?
Is UsePAM set in sshd.conf?
Hi, thanks for responding. I'm using Solaris 10 and I've replaced Suns ssh with the Solaris portable version of openssh 5.0 from Openssh.com. UsePAM is set to yes in sshd_config.
I'd have expected this behaviour to be the way it was designed.
Thinking about it, you're forcing the user to change their password, but how do you know that the correct user is changing the appropriate password? SSH requires you to authenticate to log in - how can you do this if your forcing a password change on the user? SSH can't determine if you're the user in question.
To put it more simply, you need to be authenticated before you're allowed to change your password, for security reasons. Logging in via SSH would mean that the initial authentication is failing/problematic.
I normally set a simple default password for the user and get them to change it themselves after first logging in - there may be easier ways of doing it, but I haven't found it.
Well it's not what I would expect. Normally, the user is prompted for the old password and this assures that the proper user is making the change. Then the user is prompted for the new password. Because of pam's inelegant design, the session is dropped and then the user must login again with the new password. This works with telnet according to the OP. It also works with Sun's ssh.
Which brings me to the only suggestion I can think of... use Sun's ssh.
Yes, this is the expected behavior..however, I'd like to stick with openssh because of the Force directives that work well for our current environment.
Anyone????????
Any CA agent running on the system?