This discussion is archived
0 Replies Latest reply: Apr 25, 2013 12:24 AM by dermute RSS

Pubkey with expired Accounts

dermute Newbie
Currently Being Moderated
I mentioned that a SSH-Login with Pubkey-Auth doesn't work in Solaris with expired Passwords. It just askes for a password.

For example an SSH-Login with Pubkey doesn't work with....
grep userxy /etc/shadow
But it works after setting a new password with....
grep userxy /etc/shadow

So I tried to figure out how to deactivate this behaviour.

SSH uses PAM by default and checks the account expiry. But even the PAM-Debug Log only contains a msg about an invalid Pubkey (that's not true). And as I said before, after setting the password it works.... (PAM Log:

My pam.conf isn't modified and this are my relevant lines from sshd_config:
PermitEmptyPasswords no
PasswordAuthentication yes
PAMAuthenticationViaKBDInt yes

Thats what I want to have:
- If there is a pubkey for the user: grant login (even with expired passwords)
- if there is no pubkey: do password-auth for not-expired password; dont allow login for expired user

I still tried so much different configurations that I am just confused now. Do you have any suggestions?


  • Correct Answers - 10 points
  • Helpful Answers - 5 points