Greetings!
The DU machine that I manage was recently broken into by a hacker. In
response, I have rebuilt the system and have tightened security on the new
system to discourage further attacks. For example, I am now running with
the enhanced security package turned on. In addition, I have disabled
telnet access and am currently requiring users to connect to the machine
via ssh (this is an experiment to see if the users will stand for this).
I notice, however, that ssh logins seem to bypass the password controls.
For example, if a user's password has expired they are not forced to
change the password when they log in via ssh. This is true even if they
have used password authentication during their ssh session. This is not an
entirely satisfactory situation and I'm wondering what, if anything, I can
do about it. Is there a program I can put into the login script that will
take care of this matter or do I need to recompile sshd in some way? I'm
using ssh v1.2.26.
It would be ironic if I needed to use unencrypted telnet sessions to gain
access to some of the enhanced security features of my new system!
TIA
*****************************************************************************
Peter
pchapin_at_twilight.vtc.vsc.edu
http://twilight.vtc.vsc.edu/~pchapin/
Received on Wed Jan 27 1999 - 12:41:24 NZDT