Core issue
Secure Shell (SSH) does not support the password change feature before expiry for users that employ TACACS+ authentication. The feature does work for expired passwords because it can trigger a password change sequence at that point.
Use Telnet if a password must be changed before expiry.
Resolution
The password change feature (before expiry) for TACACS+ users is incorporated in SSHv2. In SSHv2, SSH_MSG_USERAUTH_PASSWD_CHANGEREQ permits this functionality.
To resolve this issue, verify the version of the Cisco IOS image running on the Cisco IOS device. SSHv2 is integrated in these Cisco IOS images:
- 12.2(25)S06
- 12.2(18)SXE
- 12.1(22)EA03
- 12.2(25)SEB
- 12.2(25)SEA
- 12.2(27.07)S
- 12.3(10.01)T and onwards
For more information, refer to Secure Shell Version 2 support in Cisco IOS Software Release 12.4
Problem Type
Password recovery
Troubleshoot software feature
Product Family
Routers