Monday, March 20, 2017

How to configure SFTP to prompt user to change password when user password is expired?


https://access.redhat.com/solutions/24758


nvironment

  • Red Hat Enterprise Linux 5
  • Red Hat Enterprise Linux 6

Issue

  • In a SFTP only server, after manually expiring the password, trying to login to SFTP will immediately disconnect the user. As the users do not have a shell, they are not prompted to change password at SFTP prompt as opposed to SSH login.

Resolution

  • Once password for a user expires, then the user may be prompted to change his password at the next SFTP login by making the following changes in the ssh configuration file /etc/ssh/sshd_config:
Raw
PasswordAuthentication no
ChallengeResponseAuthentication yes
UsePAM yes
  • Then restart sshd service for the changes to take into effect. Now the user whose password has expired will be prompted to reset the password in the next SFTP login.

Root Cause

  • ChallengeResponseAuthentication usually serves an equivalent role to password authentication, so you should eihter disable PasswordAuthentication or ChallengeResponseAuthentication.
  • The ChallengeResponseAuthentication controls the support for the keyboard-interactive authentication scheme, where the client sends a repsonse to the challenge asked by the server, in this case the server responds back with the password prompt when you enable the ChallengeResponseAuthentication in sshd_config.
Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)