https://access.redhat.com/solutions/24758
nvironment
- Red Hat Enterprise Linux 5
- Red Hat Enterprise Linux 6
Issue
- In a SFTP only server, after manually expiring the password, trying to login to SFTP will immediately disconnect the user. As the users do not have a shell, they are not prompted to change password at SFTP prompt as opposed to SSH login.
Resolution
- Once password for a user expires, then the user may be prompted to change his password at the next SFTP login by making the following changes in the ssh configuration file /etc/ssh/sshd_config:
PasswordAuthentication no
ChallengeResponseAuthentication yes
UsePAM yes
- Then restart sshd service for the changes to take into effect. Now the user whose password has expired will be prompted to reset the password in the next SFTP login.
Root Cause
- ChallengeResponseAuthenticationusually serves an equivalent role to password authentication, so you should eihter disable- PasswordAuthenticationor- ChallengeResponseAuthentication.
- TheChallengeResponseAuthenticationcontrols the support for the keyboard-interactive authentication scheme, where the client sends a repsonse to the challenge asked by the server, in this case the server responds back with the password prompt when you enable theChallengeResponseAuthenticationinsshd_config.
No comments:
Post a Comment