[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Freeipa-users] Error changing expired user password using SSH



Dan Scott wrote:
Hi,

I'm having problems with users accessing their accounts for the first
time using SSH. I create their account in FreeIPA and set a (expired)
password. Then I have them ssh into one of our computers to setup
their password. The connection displays the following:

djscott pc35:~$ ssh guser pc20
guser pc20's password:
Warning: Your password will expire in less than one hour.
Warning: password has expired.
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user guser.
Kerberos 5 Password:
Warning: Your password will expire in less than one hour.
New password:
Retype new password:
passwd: Authentication token manipulation error
Connection to pc20 closed.

And the password change fails. Here is the relevant section from the
Kerberos logfile. There is no entry in the LDAP log in dirsrv.

Nov 08 14:48:21 fileserver2.example.com krb5kdc[1246](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 192.168.1.20: CLIENT KEY EXPIRED:
guser EXAMPLE COM for krbtgt/EXAMPLE COM EXAMPLE COM, Password has
expired
Nov 08 14:48:21 fileserver2.example.com krb5kdc[1246](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 192.168.1.20: NEEDED_PREAUTH:
guser EXAMPLE COM for kadmin/changepw EXAMPLE COM, Additional
pre-authentication required
Nov 08 14:48:22 fileserver2.example.com krb5kdc[1246](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 192.168.1.20: ISSUE: authtime 1289245702,
etypes {rep=18 tkt=18 ses=18}, guser EXAMPLE COM for
kadmin/changepw EXAMPLE COM
Nov 08 14:48:23 fileserver2.example.com krb5kdc[1246](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 192.168.1.20: NEEDED_PREAUTH:
guser EXAMPLE COM for kadmin/changepw EXAMPLE COM, Additional
pre-authentication required
Nov 08 14:48:23 fileserver2.example.com krb5kdc[1246](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 192.168.1.20: ISSUE: authtime 1289245703,
etypes {rep=18 tkt=18 ses=18}, guser EXAMPLE COM for
kadmin/changepw EXAMPLE COM

This appears to work fine when using kinit to login for the first
time. Shouldn't it work using SSH too? This will be a problem for our
remote users, since they have to connect remotely, using SSH.

Thanks,

Dan Scott

You need to enable Challenge-Response in sshd. See:
http://freeipa.org/page/Administrators_Guide#Using_Password_Authentication

rob


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]