[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Re: Re: Re: [rhn-users] force user to change password on first login



Hello again!

Sorry for too many emails... just another thought occurred to me... the application developers might have implemented "sshd" differently from "su" implementation. su probably recognizes the error that password was expired and calls the "password" module. but sshd may just return when auth returns an error message... does anyone follow me? my guess is the sshd daemon you are having might be different. The sshd version on the linux server is:
openssh-server-3.6.1p2-33.30.3

su-->/etc/pam.d/su
ssh-client-->ssh daemon-->/etc/pam.d/sshd

since /etc/pam.d/su and /etc/pam.d/sshd are almost identical (to my eyes) I guess the problem is with ssh-daemon...

Is my understanding correct?

Thanks! Have a nice weekend everyone!!
Raj


On Sat, 19 Feb 2005 Raj  Kumar wrote :
>Hi Richard,
>
>/etc/pam.d/system-auth is another file to compare.
>Do you use pam_unix or pam_unix2?
>
>
>more system-auth
>#%PAM-1.0
># This file is auto-generated.
># User changes will be destroyed the next time authconfig is run.
>auth        required      /lib/security/$ISA/pam_env.so
>auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
>auth        required      /lib/security/$ISA/pam_deny.so
>
>account    required      /lib/security/$ISA/pam_unix.so
>
>password    required      /lib/security/$ISA/pam_cracklib.so retry=3 type=
>password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
>password    required      /lib/security/$ISA/pam_deny.so
>
>session    required      /lib/security/$ISA/pam_limits.so
>session    required      /lib/security/$ISA/pam_unix.so
>
>-----------------------
>error messages in /var/log/message:
>sshd(pam_unix)[12002]: expired password for user user1 (root enforced)
>sshd(pam_unix)[12004]: session opened for user user1 by (uid=501)
>sshd(pam_unix)[12004]: session closed for user user1
>
>But what is confusing is both /etc/pam.d/su and sshd references system-auth for auth and account. So why does su work but sshd fail?
>
>Thanks again for your help!
>
>Raj
>
>On Sat, 19 Feb 2005 Raj  Kumar wrote :
> >Hi Richard,
> >
> >I also tried this now
> >/usr/bin/chage -d 0 -W -1 -E -1 -I -1 -M -1 -m -1 user1
> >
> >It still doesn't work. After executing the above command  chage -l user1 reports:
> >
> >Minimum:        -1
> >Maximum:        -1
> >Warning:        -1
> >Inactive:      -1
> >Last Change:            Never
> >Password Expires:      Never
> >Password Inactive:      Never
> >Account Expires:        Never
> >
> >Do you get similar output? What ssh client are you using? I tried with Mindterm, openssh client installed on linux and ssh client installed with cygwin. They all don't work. I get the error message and the connection is terminated immediately. But if I login as user2 and then try "su user1" I get the error message and then the prompt to change password (similar to the prompts you get when passwd is run).
> >
> >Since it works with su and not with ssh and the authentication process goes through PAM I wonder if you have different settings. Can you post your PAM version, /etc/pam.d/su and /etc/pam.d/sshd files?
> >We should probably compare the module-type "account" settings in these files. I dont see the difference in account modules in my /etc/pam.d/su and /etc/pam.d/sshd/ files
> >
> >
> >  more /etc/pam.d/su
> >
> >#%PAM-1.0
> >auth      sufficient  /lib/security/$ISA/pam_rootok.so
> ># Uncomment the following line to implicitly trust users in the "wheel" group.
> >#auth      sufficient  /lib/security/$ISA/pam_wheel.so trust use_uid
> ># Uncomment the following line to require a user to be in the "wheel" group.
> >#auth      required    /lib/security/$ISA/pam_wheel.so use_uid
> >auth      required    /lib/security/$ISA/pam_stack.so service=system-auth
> >account    required    /lib/security/$ISA/pam_stack.so service=system-auth
> >password  required    /lib/security/$ISA/pam_stack.so service=system-auth
> >session    required    /lib/security/$ISA/pam_stack.so service=system-auth
> >session    optional    /lib/security/$ISA/pam_xauth.so
> >
> >---------------------------------------------------------------
> >
> >more /etc/pam.d/sshd
> >
> >#%PAM-1.0
> >auth      required    pam_stack.so service=system-auth
> >auth      required    pam_nologin.so
> >account    required    pam_stack.so service=system-auth
> >password  required    pam_stack.so service=system-auth
> >session    required    pam_stack.so service=system-auth
> >session    required    pam_limits.so
> >session    optional    pam_console.so
> >
> >
> >Thanks for your help!
> >Raj
> >
> >
> >On Sat, 19 Feb 2005 Richard Lefebvre wrote :
> > >It seems to work for me, I do put everything else to -1:
> > >
> > >/usr/bin/chage -d 0 -W -1 -E -1 -I -1 -M -1 -m -1 user1
> > >
> > >Also, I don't permit login via telnet, or rlogin only ssh
> > >
> > >
> > >Raj Kumar wrote:
> > >>  Hi Richard!
> > >>
> > >>I tried that before. The error message I get is
> > >>  You are required to change your password immediately (root enforced)
> > >>Your password has expired, the session cannot proceed.
> > >>Connection to testserver closed
> > >>
> > >>The user does not get to the prompt to change password. How else can he change the password if he doesnt have access to the shell?
> > >>
> > >>thank you,
> > >>Raj
> > >>
> > >>
> > >>
> > >>On Fri, 18 Feb 2005 Richard Lefebvre wrote :
> > >>  >"chage -d 0 user1" should do the trick.
> > >>  >
> > >>  >Richard
> > >>  >
> > >>  >Raj Kumar wrote:
> > >>  >>Hi Mike,
> > >>  >>
> > >>  >>I logged in as user1 today and I did not get any warnings. So "passwd -f user1" does not force the user to change password after 24Hrs.
> > >>  >>
> > >>  >>Are there any other options to force the user to change their passwords at first logon?
> > >>  >>
> > >>  >>Thank you,
> > >>  >>Raj
> > >>  >>
> > >>  >>
> > >>
> > >>
> > >>
> > >><http://clients.rediff.com/signature/track_sig.asp>
> >_______________________________________________
> >rhn-users mailing list
> >rhn-users redhat com
> >https://www.redhat.com/mailman/listinfo/rhn-users
>_______________________________________________
>rhn-users mailing list
>rhn-users redhat com
>https://www.redhat.com/mailman/listinfo/rhn-users




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]