0 Replies Latest reply: Apr 25, 2013 2:24 AM by dermute RSS

    Pubkey with expired Accounts

    dermute
      Hello,
      I mentioned that a SSH-Login with Pubkey-Auth doesn't work in Solaris with expired Passwords. It just askes for a password.

      For example an SSH-Login with Pubkey doesn't work with....
      grep userxy /etc/shadow
      userxy1:$2a$04$mymegahash:0:0:90::::
      But it works after setting a new password with....
      grep userxy /etc/shadow
      userxy1:$2a$04$mymegahash2:1582:0:90::::


      So I tried to figure out how to deactivate this behaviour.


      SSH uses PAM by default and pam_unix_cred.so.1 checks the account expiry. But even the PAM-Debug Log only contains a msg about an invalid Pubkey (that's not true). And as I said before, after setting the password it works.... (PAM Log: http://pastebin.com/Xe44nAqs)

      My pam.conf isn't modified and this are my relevant lines from sshd_config:
      PermitEmptyPasswords no
      PasswordAuthentication yes
      PAMAuthenticationViaKBDInt yes



      Thats what I want to have:
      - If there is a pubkey for the user: grant login (even with expired passwords)
      - if there is no pubkey: do password-auth for not-expired password; dont allow login for expired user

      I still tried so much different configurations that I am just confused now. Do you have any suggestions?