This discussion is archived
0 Replies Latest reply: Apr 25, 2013 12:24 AM by dermute RSS

Pubkey with expired Accounts

dermute Newbie
Currently Being Moderated
Hello,
I mentioned that a SSH-Login with Pubkey-Auth doesn't work in Solaris with expired Passwords. It just askes for a password.

For example an SSH-Login with Pubkey doesn't work with....
grep userxy /etc/shadow
userxy1:$2a$04$mymegahash:0:0:90::::
But it works after setting a new password with....
grep userxy /etc/shadow
userxy1:$2a$04$mymegahash2:1582:0:90::::


So I tried to figure out how to deactivate this behaviour.


SSH uses PAM by default and pam_unix_cred.so.1 checks the account expiry. But even the PAM-Debug Log only contains a msg about an invalid Pubkey (that's not true). And as I said before, after setting the password it works.... (PAM Log: http://pastebin.com/Xe44nAqs)

My pam.conf isn't modified and this are my relevant lines from sshd_config:
PermitEmptyPasswords no
PasswordAuthentication yes
PAMAuthenticationViaKBDInt yes



Thats what I want to have:
- If there is a pubkey for the user: grant login (even with expired passwords)
- if there is no pubkey: do password-auth for not-expired password; dont allow login for expired user

I still tried so much different configurations that I am just confused now. Do you have any suggestions?

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points