[Freeipa-users] Error changing expired user password using SSH
Rob Crittenden
rcritten at redhat.com
Mon Nov 8 21:02:07 UTC 2010
Dan Scott wrote:
> Hi,
>
> I'm having problems with users accessing their accounts for the first
> time using SSH. I create their account in FreeIPA and set a (expired)
> password. Then I have them ssh into one of our computers to setup
> their password. The connection displays the following:
>
> djscott at pc35:~$ ssh guser at pc20
> guser at pc20's password:
> Warning: Your password will expire in less than one hour.
> Warning: password has expired.
> WARNING: Your password has expired.
> You must change your password now and login again!
> Changing password for user guser.
> Kerberos 5 Password:
> Warning: Your password will expire in less than one hour.
> New password:
> Retype new password:
> passwd: Authentication token manipulation error
> Connection to pc20 closed.
>
> And the password change fails. Here is the relevant section from the
> Kerberos logfile. There is no entry in the LDAP log in dirsrv.
>
> Nov 08 14:48:21 fileserver2.example.com krb5kdc[1246](info): AS_REQ (7
> etypes {18 17 16 23 1 3 2}) 192.168.1.20: CLIENT KEY EXPIRED:
> guser at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM, Password has
> expired
> Nov 08 14:48:21 fileserver2.example.com krb5kdc[1246](info): AS_REQ (7
> etypes {18 17 16 23 1 3 2}) 192.168.1.20: NEEDED_PREAUTH:
> guser at EXAMPLE.COM for kadmin/changepw at EXAMPLE.COM, Additional
> pre-authentication required
> Nov 08 14:48:22 fileserver2.example.com krb5kdc[1246](info): AS_REQ (7
> etypes {18 17 16 23 1 3 2}) 192.168.1.20: ISSUE: authtime 1289245702,
> etypes {rep=18 tkt=18 ses=18}, guser at EXAMPLE.COM for
> kadmin/changepw at EXAMPLE.COM
> Nov 08 14:48:23 fileserver2.example.com krb5kdc[1246](info): AS_REQ (7
> etypes {18 17 16 23 1 3 2}) 192.168.1.20: NEEDED_PREAUTH:
> guser at EXAMPLE.COM for kadmin/changepw at EXAMPLE.COM, Additional
> pre-authentication required
> Nov 08 14:48:23 fileserver2.example.com krb5kdc[1246](info): AS_REQ (7
> etypes {18 17 16 23 1 3 2}) 192.168.1.20: ISSUE: authtime 1289245703,
> etypes {rep=18 tkt=18 ses=18}, guser at EXAMPLE.COM for
> kadmin/changepw at EXAMPLE.COM
>
> This appears to work fine when using kinit to login for the first
> time. Shouldn't it work using SSH too? This will be a problem for our
> remote users, since they have to connect remotely, using SSH.
>
> Thanks,
>
> Dan Scott
You need to enable Challenge-Response in sshd. See:
http://freeipa.org/page/Administrators_Guide#Using_Password_Authentication
rob
More information about the Freeipa-users
mailing list