Hi Richard, /etc/pam.d/system-auth is another file to compare. Do you use pam_unix or pam_unix2? more system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so password required /lib/security/$ISA/pam_cracklib.so retry=3 type= password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so ----------------------- error messages in /var/log/message: sshd(pam_unix)[12002]: expired password for user user1 (root enforced) sshd(pam_unix)[12004]: session opened for user user1 by (uid=501) sshd(pam_unix)[12004]: session closed for user user1 But what is confusing is both /etc/pam.d/su and sshd references system-auth for auth and account. So why does su work but sshd fail? Thanks again for your help! Raj On Sat, 19 Feb 2005 Raj Kumar wrote : >Hi Richard, > >I also tried this now >/usr/bin/chage -d 0 -W -1 -E -1 -I -1 -M -1 -m -1 user1 > >It still doesn't work. After executing the above command chage -l user1 reports: > >Minimum: -1 >Maximum: -1 >Warning: -1 >Inactive: -1 >Last Change: Never >Password Expires: Never >Password Inactive: Never >Account Expires: Never > >Do you get similar output? What ssh client are you using? I tried with Mindterm, openssh client installed on linux and ssh client installed with cygwin. They all don't work. I get the error message and the connection is terminated immediately. But if I login as user2 and then try "su user1" I get the error message and then the prompt to change password (similar to the prompts you get when passwd is run). > >Since it works with su and not with ssh and the authentication process goes through PAM I wonder if you have different settings. Can you post your PAM version, /etc/pam.d/su and /etc/pam.d/sshd files? >We should probably compare the module-type "account" settings in these files. I dont see the difference in account modules in my /etc/pam.d/su and /etc/pam.d/sshd/ files > > > more /etc/pam.d/su > >#%PAM-1.0 >auth sufficient /lib/security/$ISA/pam_rootok.so ># Uncomment the following line to implicitly trust users in the "wheel" group. >#auth sufficient /lib/security/$ISA/pam_wheel.so trust use_uid ># Uncomment the following line to require a user to be in the "wheel" group. >#auth required /lib/security/$ISA/pam_wheel.so use_uid >auth required /lib/security/$ISA/pam_stack.so service=system-auth >account required /lib/security/$ISA/pam_stack.so service=system-auth >password required /lib/security/$ISA/pam_stack.so service=system-auth >session required /lib/security/$ISA/pam_stack.so service=system-auth >session optional /lib/security/$ISA/pam_xauth.so > >--------------------------------------------------------------- > >more /etc/pam.d/sshd > >#%PAM-1.0 >auth required pam_stack.so service=system-auth >auth required pam_nologin.so >account required pam_stack.so service=system-auth >password required pam_stack.so service=system-auth >session required pam_stack.so service=system-auth >session required pam_limits.so >session optional pam_console.so > > >Thanks for your help! >Raj > > >On Sat, 19 Feb 2005 Richard Lefebvre wrote : > >It seems to work for me, I do put everything else to -1: > > > >/usr/bin/chage -d 0 -W -1 -E -1 -I -1 -M -1 -m -1 user1 > > > >Also, I don't permit login via telnet, or rlogin only ssh > > > > > >Raj Kumar wrote: > >> Hi Richard! > >> > >>I tried that before. The error message I get is > >> You are required to change your password immediately (root enforced) > >>Your password has expired, the session cannot proceed. > >>Connection to testserver closed > >> > >>The user does not get to the prompt to change password. How else can he change the password if he doesnt have access to the shell? > >> > >>thank you, > >>Raj > >> > >> > >> > >>On Fri, 18 Feb 2005 Richard Lefebvre wrote : > >> >"chage -d 0 user1" should do the trick. > >> > > >> >Richard > >> > > >> >Raj Kumar wrote: > >> >>Hi Mike, > >> >> > >> >>I logged in as user1 today and I did not get any warnings. So "passwd -f user1" does not force the user to change password after 24Hrs. > >> >> > >> >>Are there any other options to force the user to change their passwords at first logon? > >> >> > >> >>Thank you, > >> >>Raj > >> >> > >> >> > >> > >> > >> > >><http://clients.rediff.com/signature/track_sig.asp> >_______________________________________________ >rhn-users mailing list >rhn-users@redhat.com >https://www.redhat.com/mailman/listinfo/rhn-users <A target="_blank" HREF="http://clients.rediff.com/signature/track_sig.asp"><IMG SRC="http://ads.rediff.com/RealMedia/ads/adstream_nx.cgi/www.rediffmail.com/inbox.htm@Bottom" BORDER=0 VSPACE=0 HSPACE=0></a>