Red Hat Bug 124602 In Action
$ cat /etc/redhat-release Red Hat Enterprise Linux AS release 3 (Taroon Update 4)
$ rpm -q openssh openssh-3.6.1p2-33.30.3
I attempt to login as a user with an expired password using ssh.
If privilege separation is enabled
If privilege separation is enabled, I receive the following error.
You are required to change your password immediately (password aged) Your password has expired, the session cannot proceed.
If privilege separation is disabled
If privilege separation is disabled, I receive the following error.
From a remote system:
$ ssh hutchib@host Password: dispatch_protocol_error: type 60 seq 12 Disconnecting: Bad packet length 1158809210.
From the local system:
$ ssh hutchib@localhost Password: Warning: Your password has expired, please change it now. 9ea7 c5ec 6dc5 65ca debc beb7 7a68 0f0a Disconnecting: Bad packet length 2661795308.
Note that even after installing the latest OpenSSH package, privilege separation must be enabled in order to login with an expired account.
$ rpm -qp openssh-3.6.1p2-33.30.14.i386.rpm --changelog ... * Wed Feb 02 2005 Tomas Mraz <firstname.lastname@example.org> 3.6.1p2-33.30.4 - CAN-2004-0175 (#120147) don't allow scp to overwrite files in other directories - don't log in sigalarm handler - it can deadlock (#145001) * Tue Feb 01 2005 Tomas Mraz <email@example.com> - allow changing expired passwords when privilege separation is on (#124602) - don't leak whether root password is right if root isn't allowed (#141642)
# yum install openssh ... I will do the following: [update: openssh 3.6.1p2-33.30.14.i386] I will install/upgrade these to satisfy the dependencies: [deps: openssh-server 3.6.1p2-33.30.14.i386] [deps: openssh-clients 3.6.1p2-33.30.14.i386] [deps: openssh-askpass 3.6.1p2-33.30.14.i386] Is this ok [y/N]: y
With privilege separation disabled:
$ ssh hutchib@host Password: Warning: Your password has expired, please change it now. Disconnecting: Bad packet length 2062459566.
With privilege separation enabled:
$ ssh hutchib@host You must change your password now and login again! Changing password for user hutchib. Changing password for hutchib (current) UNIX password: New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully. Connection to host closed.