Password change required but no TTY available

Hello,

on my SSH server following error message is logged: "Password change required but no TTY available". Is it possible to inform the WinSCP user about this problem during his logging attempt. I know, that WinSCP has no tty. The next step is, that WinSCP offers a tty connection to the server, to change this password.

Thanks in andvance.

wkfl

wkfl wrote:

on my SSH server following error message is logged: "Password change required but no TTY available". Is it possible to inform the WinSCP user about this problem during his logging attempt.

Can you provide me log file showing WinSCP trying to connect to account with expired password?

The next step is, that WinSCP offers a tty connection to the server, to change this password.

WinSCP cannot offer TTY, because neither SCP not SFTP can work with it. For non-interactive clients, SSH provides possibility to change expired password using keyboard-interactive (or similar) authentication. However I do not know how good support for this is in SSH servers.

I also encountered the same error message. Below is the log/error message.

Server sent disconnect message
type 2 (SSH_DISCONNECT_PROTOCOL_ERROR):
"Password change required but no TTY available"

Regards,
lohmh

lohmh wrote:

I also encountered the same error message. Below is the log/error message.

Server sent disconnect message
type 2 (SSH_DISCONNECT_PROTOCOL_ERROR):
"Password change required but no TTY available"

Hm. I'm sorry, obviously I cannot do anything with it. See my suggestion about keyboard-interactive autentication.

Hi Martin,
I have this issue as well, since I have many users who are extremely low on technical knowledge.

They perform very simple tasks.

When their password has expired, they just can't use WINSCP. It keeps asking for a password. Meanwhile their password has actually expired and they must change it.

They then create a trouble ticket for me stating they can't use WinSCP. At which time I have to change their password for them, since they have no idea how to use a client to login and change the password.

Would it be possible to have an option of using Putty to connect to the session if WINSCP fails at logon? Maybe a little button that says, use Putty to connect. This would allow the user to connect to the server, at which time it would ask for the current password and then ask them to change it. After that, our system actually logs the user out. They can then use WinSCP to connect with the new password.

Any chance of that happening??

Please ask me anything for further clarification.

Thank you,
OCAS TSS

OCAS TSS wrote:

Would it be possible to have an option of using Putty to connect to the session if WINSCP fails at logon? Maybe a little button that says, use Putty to connect. This would allow the user to connect to the server, at which time it would ask for the current password and then ask them to change it. After that, our system actually logs the user out. They can then use WinSCP to connect with the new password.

AFAIK, there's no way to know that authentication failed because the password expired (appart from the error message).

Just to myself repeat:

For non-interactive clients, SSH provides possibility to change expired password using keyboard-interactive (or similar) authentication. However I do not know how good support for this is in SSH servers.

I'm proposing that the user decides if they want to use Putty or not to make the connection.

When WinSCP fails at login, expecially when the password has been saved into the profile, it's 99% of the time expired.

I just wondered if a quick shortcut button could be placed on the same authentication window that pops up, that uses Putty to connect to the same server.

If I can get a passowrd to expire today, I'll send a mock up of what I mean.

I've gone and created a mock up, can I attach files?

I'll email you the image for this post.

OCAS TSS wrote:

I'm proposing that the user decides if they want to use Putty or not to make the connection.

Sorry, I've missed that. Yes, this can be done, if there's no other option. But I would like to see more "standard" solution. What server do you use? OpenSSH? It should support the password change on expiry mechanism as I've noted in the previous post.

Well, we've actually investigated this before, but our hosted services are at IBM, and they are on AIX, as well, they have strict rules as to what they will allow on their servers, mainly because they need to keep up their end of the 99.5% uptime guarantee.

It was hard enough to get them to upgrade OPENSSH to allow the SFTP server to utilitze the home folder fix.

I don't particularly like the idea of have a button for using Putty either, but I know for most people they probably won't have any say as to which SSH is running on the server they are connecting to, like us.

Kevin

P.S. please don't feel you have to do this if it goes against your overall goal for WinSCP.

I'll think about another solution :-)

I appreciate it.

Kevin