I mentioned that a SSH-Login with Pubkey-Auth doesn't work in Solaris with expired Passwords. It just askes for a password.
For example an SSH-Login with Pubkey doesn't work with.... grep userxy /etc/shadow userxy1:$2a$04$mymegahash:0:0:90::::
But it works after setting a new password with.... grep userxy /etc/shadow userxy1:$2a$04$mymegahash2:1582:0:90::::
So I tried to figure out how to deactivate this behaviour.
SSH uses PAM by default and pam_unix_cred.so.1 checks the account expiry. But even the PAM-Debug Log only contains a msg about an invalid Pubkey (that's not true). And as I said before, after setting the password it works.... (PAM Log: http://pastebin.com/Xe44nAqs)
My pam.conf isn't modified and this are my relevant lines from sshd_config: PermitEmptyPasswords no PasswordAuthentication yes PAMAuthenticationViaKBDInt yes
Thats what I want to have:
- If there is a pubkey for the user: grant login (even with expired passwords)
- if there is no pubkey: do password-auth for not-expired password; dont allow login for expired user
I still tried so much different configurations that I am just confused now. Do you have any suggestions?