0 Replies Latest reply on Apr 25, 2013 7:24 AM by dermute

    Pubkey with expired Accounts

      I mentioned that a SSH-Login with Pubkey-Auth doesn't work in Solaris with expired Passwords. It just askes for a password.

      For example an SSH-Login with Pubkey doesn't work with....
      grep userxy /etc/shadow
      But it works after setting a new password with....
      grep userxy /etc/shadow

      So I tried to figure out how to deactivate this behaviour.

      SSH uses PAM by default and pam_unix_cred.so.1 checks the account expiry. But even the PAM-Debug Log only contains a msg about an invalid Pubkey (that's not true). And as I said before, after setting the password it works.... (PAM Log: http://pastebin.com/Xe44nAqs)

      My pam.conf isn't modified and this are my relevant lines from sshd_config:
      PermitEmptyPasswords no
      PasswordAuthentication yes
      PAMAuthenticationViaKBDInt yes

      Thats what I want to have:
      - If there is a pubkey for the user: grant login (even with expired passwords)
      - if there is no pubkey: do password-auth for not-expired password; dont allow login for expired user

      I still tried so much different configurations that I am just confused now. Do you have any suggestions?