expired passwords

Stuart Sears stuart at sjsears.com
Tue Mar 11 16:32:18 UTC 2008 

Chris Kottaridis wrote:
> When I run:
> 
> $ passwd -e <username>
> 
> To expire a password for a user and then try to log back in for that
> user it says that I need to update my password. and then I get back to
> the login prompt.
> 
>> You are required to change your password immediately (root enforced)
> 
> I am expecting that it will ask to make a new password:
> 
>> login: adm1
>> password: *******
>> WARNING: Your password has expired
>> You must change your password now and login again!
>> Changing password for adm1
>> Old password:
>> Enter the new password (minimum of 5, maximum of 8 characters)
>> Please use a combination of upper and lower case letters and numbers
>> New password:
>> Re-enter new password:
>> Password changed.
> 
> The man page for login implies I should be able to set it at login time:
> 
> --------------------------------
>  If password aging has been enabled for your account, you may be
>  prompted for a new password before proceeding. You will be forced to
>  provide your old password and the new password before continuing.
>  Please refer to passwd(1) for more information.
> --------------------------------
> 
> Am I doing something wrong from a sysadmin point of view or is there
> some compile option that needs to be used to get the behavior that I
> want ?

no you are not. This is down to the order in which login uses PAM to 
check/change your password:
1. Do you know the (current) password for this account?
2. If so, We know who you are (and that you are entitled to use this 
account) and can check your account details to set up your session.
Once this is done, it becomes apparent that your password has expired 
and needs changing.
3. We then go through the normal password changing routine.


what exactly were you expecting to happen?

You type in an account name and immediately get told that the password 
has expired?
This is a security flaw, as it immediately exposes the fact that you 
have typed in a valid account name (you could be anyone trying to login).
Instead the system tries to authenticate you first - you are *always* 
prompted for a password. If this fails, you (as a possible attacker) 
don't actually know if you typed an incorrect username or an incorrect 
password. (or failed for some other reason). All you get is 'login 
incorrect'

Regards,

Stuart
-- 
Stuart Sears RHCA etc.

More information about the fedora-list mailing list