Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

FrcpasswdPolicies Option

2009-07-16
2013-04-16
  • DirkNiblick
    DirkNiblick
    2009-07-16

    I have OpenSSH version 5.0p1 running on AIX 5.3.9 and the FrcpasswdPolicies option, which would allow us to prevent users with expired system passwords from getting in via key authentication, doesn't seem to be working.  This is what I have in the config file:

    FrcpasswdPolicies yes

    ...and here's what the test of the config file says...

    # sshd -dt     
    /etc/ssh/sshd_config: line 121: Bad configuration option: FrcpasswdPolicies
    /etc/ssh/sshd_config: terminating, 1 bad configuration options

    I can find only one document online which references the option: http://www.ibm.com/developerworks/aix/library/au-new_openssh/index.html?ca=drs-

    FrcpasswdPolicies
    This config option is included in the sshd_config file of the IBM-supported version of OpenSSH-4.5p1 onwards. By default, it is set to "No." When it is set to "Yes," it checks whether the password is expired for that user before allowing the user to log in. If the password is expired for the user, it prompts the user to change the password and then allows the user to log in once the password is successfully changed. Otherwise, login fails. This password check is done even if the user is following the public key or host-based authentication. This ensures that the user is authorized before logging in.

    The man page isn't much more descriptive.  Are there any other opitons that need to be specified?  Other packages that need to be installed?  Has anyone been able to enable this option in their environment?

     
    • DirkNiblick
      DirkNiblick
      2009-08-11

      Turns out the newest version of the packages solved this issue for AIX 5.3.  The 5.2 version is missing this fix but I have it on good authority a newer version will be released soon to fix this issue.