<P>
Hi Richard,<BR>
<BR>
/etc/pam.d/system-auth is another file to compare.<BR>
Do you use pam_unix or pam_unix2?<BR>
<BR>
<BR>
more system-auth <BR>
#%PAM-1.0<BR>
# This file is auto-generated.<BR>
# User changes will be destroyed the next time authconfig is run.<BR>
auth required /lib/security/$ISA/pam_env.so<BR>
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok<BR>
auth required /lib/security/$ISA/pam_deny.so<BR>
<BR>
account required /lib/security/$ISA/pam_unix.so<BR>
<BR>
password required /lib/security/$ISA/pam_cracklib.so retry=3 type=<BR>
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow<BR>
password required /lib/security/$ISA/pam_deny.so<BR>
<BR>
session required /lib/security/$ISA/pam_limits.so<BR>
session required /lib/security/$ISA/pam_unix.so<BR>
<BR>
-----------------------<BR>
error messages in /var/log/message:<BR>
sshd(pam_unix)[12002]: expired password for user user1 (root enforced)<BR>
sshd(pam_unix)[12004]: session opened for user user1 by (uid=501)<BR>
sshd(pam_unix)[12004]: session closed for user user1<BR>
<BR>
But what is confusing is both /etc/pam.d/su and sshd references system-auth for auth and account. So why does su work but sshd fail?<BR>
<BR>
Thanks again for your help!<BR>
<BR>
Raj<BR>
<BR>
On Sat, 19 Feb 2005 Raj Kumar wrote :<BR>
>Hi Richard,<BR>
><BR>
>I also tried this now<BR>
>/usr/bin/chage -d 0 -W -1 -E -1 -I -1 -M -1 -m -1 user1<BR>
><BR>
>It still doesn't work. After executing the above command chage -l user1 reports:<BR>
><BR>
>Minimum: -1<BR>
>Maximum: -1<BR>
>Warning: -1<BR>
>Inactive: -1<BR>
>Last Change: Never<BR>
>Password Expires: Never<BR>
>Password Inactive: Never<BR>
>Account Expires: Never<BR>
><BR>
>Do you get similar output? What ssh client are you using? I tried with Mindterm, openssh client installed on linux and ssh client installed with cygwin. They all don't work. I get the error message and the connection is terminated immediately. But if I login as user2 and then try "su user1" I get the error message and then the prompt to change password (similar to the prompts you get when passwd is run).<BR>
><BR>
>Since it works with su and not with ssh and the authentication process goes through PAM I wonder if you have different settings. Can you post your PAM version, /etc/pam.d/su and /etc/pam.d/sshd files?<BR>
>We should probably compare the module-type "account" settings in these files. I dont see the difference in account modules in my /etc/pam.d/su and /etc/pam.d/sshd/ files<BR>
><BR>
><BR>
> more /etc/pam.d/su<BR>
><BR>
>#%PAM-1.0<BR>
>auth sufficient /lib/security/$ISA/pam_rootok.so<BR>
># Uncomment the following line to implicitly trust users in the "wheel" group.<BR>
>#auth sufficient /lib/security/$ISA/pam_wheel.so trust use_uid<BR>
># Uncomment the following line to require a user to be in the "wheel" group.<BR>
>#auth required /lib/security/$ISA/pam_wheel.so use_uid<BR>
>auth required /lib/security/$ISA/pam_stack.so service=system-auth<BR>
>account required /lib/security/$ISA/pam_stack.so service=system-auth<BR>
>password required /lib/security/$ISA/pam_stack.so service=system-auth<BR>
>session required /lib/security/$ISA/pam_stack.so service=system-auth<BR>
>session optional /lib/security/$ISA/pam_xauth.so<BR>
><BR>
>---------------------------------------------------------------<BR>
><BR>
>more /etc/pam.d/sshd<BR>
><BR>
>#%PAM-1.0<BR>
>auth required pam_stack.so service=system-auth<BR>
>auth required pam_nologin.so<BR>
>account required pam_stack.so service=system-auth<BR>
>password required pam_stack.so service=system-auth<BR>
>session required pam_stack.so service=system-auth<BR>
>session required pam_limits.so<BR>
>session optional pam_console.so<BR>
><BR>
><BR>
>Thanks for your help!<BR>
>Raj<BR>
><BR>
><BR>
>On Sat, 19 Feb 2005 Richard Lefebvre wrote :<BR>
> >It seems to work for me, I do put everything else to -1:<BR>
> ><BR>
> >/usr/bin/chage -d 0 -W -1 -E -1 -I -1 -M -1 -m -1 user1<BR>
> ><BR>
> >Also, I don't permit login via telnet, or rlogin only ssh<BR>
> ><BR>
> ><BR>
> >Raj Kumar wrote:<BR>
> >> Hi Richard!<BR>
> >><BR>
> >>I tried that before. The error message I get is<BR>
> >> You are required to change your password immediately (root enforced)<BR>
> >>Your password has expired, the session cannot proceed.<BR>
> >>Connection to testserver closed<BR>
> >><BR>
> >>The user does not get to the prompt to change password. How else can he change the password if he doesnt have access to the shell?<BR>
> >><BR>
> >>thank you,<BR>
> >>Raj<BR>
> >><BR>
> >><BR>
> >><BR>
> >>On Fri, 18 Feb 2005 Richard Lefebvre wrote :<BR>
> >> >"chage -d 0 user1" should do the trick.<BR>
> >> ><BR>
> >> >Richard<BR>
> >> ><BR>
> >> >Raj Kumar wrote:<BR>
> >> >>Hi Mike,<BR>
> >> >><BR>
> >> >>I logged in as user1 today and I did not get any warnings. So "passwd -f user1" does not force the user to change password after 24Hrs.<BR>
> >> >><BR>
> >> >>Are there any other options to force the user to change their passwords at first logon?<BR>
> >> >><BR>
> >> >>Thank you,<BR>
> >> >>Raj<BR>
> >> >><BR>
> >> >><BR>
> >><BR>
> >><BR>
> >><BR>
> >><http://clients.rediff.com/signature/track_sig.asp><BR>
>_______________________________________________<BR>
>rhn-users mailing list<BR>
>rhn-users@redhat.com<BR>
>https://www.redhat.com/mailman/listinfo/rhn-users<BR>
</P>
<br><br>
<A target="_blank" HREF="http://clients.rediff.com/signature/track_sig.asp"><IMG SRC="http://ads.rediff.com/RealMedia/ads/adstream_nx.cgi/www.rediffmail.com/inbox.htm@Bottom" BORDER=0 VSPACE=0 HSPACE=0></a>