I've just installed ssh-1.2.27, sshd on HUPUX 10.20, and test ssh on
Digital UNIX V4.0E (Rev. 1091).
When I age the password (that is to force expiration) on the server, I
cannot login to the server with rlogin or login. That is expected.
However, I can still ssh to the server from a client to a user ID that is
disabled. This is not what I expected.
Upon examination of the source code, I noticed that the password expiration
test is done in a section of sshd.c when HAVE_USERSEC_H is defined.
HAVE_USERSEC_H is defined if a header file <usersec.h> is available, which
is not. config.h.in has it undefined.
Do I interpret it correctly? Besides, what good is it if one can login to
the server back-door (via ssh) when the account is disabled?
I would appreciate any thoughts on this dilemma.
Thank you in advance
