expired passwords
Chris Kottaridis
chriskot at quietwind.net
Tue Mar 11 21:35:16 UTC 2008
Turns out it was a sysadmin issue.
I noticed that in /etc/pam.d/sshd there was a line:
password required pam_stack.so service=system-auth
there wasn't such a line in the /etc/pam.d/login file. So, I added it to
the /etc/pam.d/login after the account lines and before the session
lines. Now telnet connections and serial port connections behave the
same way as the ssh connections.
Thanks
Chris Kottaridis (chriskot at quietwind.net)
On Tue, 2008-03-11 at 11:36 -0700, Chris Kottaridis wrote:
> Sorry, I wasn't clear.
>
> Here is what I get when I try and telnet in to localhost:
>
> >> telnet localhost
> >Trying 127.0.0.1...
> >Connected to localhost.
> >Escape character is '^]'.
> >
> >host10 login: tester
> >Password:
> >You are required to change your password immediately (password aged)
> >
> >Authentication token manipulation error
> >Connection closed by foreign host
>
> So, I guess if I didn't get the "Authentication token manipulation
> error" then it'd prompt me for a new password. I get the same kind of
> thing when trying to login on the serial port.
>
> Interestingly enough if I ssh into the machine from another machine I
> seem to get what I want:
>
> >$ ssh tester at 172.25.33.60
> >tester at 172.25.33.60's password:
> >You are required to change your password immediately (password aged)
> >
> >
> >WARNING: Your password has expired.
> >You must change your password now and login again!
> >Changing password for tester
> >(current) UNIX password:
>
> Is this related to some sort of PAM configuration options
> in /etc/pam.d/login or possibly login.defs ?
>
> Why would ssh work OK, but telnet to localhost and serial port access
> not work OK ?
>
> Thanks
> Chris Kottaridis (chriskot at quietwind.net)
>
> On Tue, 2008-03-11 at 16:32 +0000, Stuart Sears wrote:
> > Chris Kottaridis wrote:
> > > When I run:
> > >
> > > $ passwd -e <username>
> > >
> > > To expire a password for a user and then try to log back in for that
> > > user it says that I need to update my password. and then I get back to
> > > the login prompt.
> > >
> > >> You are required to change your password immediately (root enforced)
> > >
> > > I am expecting that it will ask to make a new password:
> > >
> > >> login: adm1
> > >> password: *******
> > >> WARNING: Your password has expired
> > >> You must change your password now and login again!
> > >> Changing password for adm1
> > >> Old password:
> > >> Enter the new password (minimum of 5, maximum of 8 characters)
> > >> Please use a combination of upper and lower case letters and numbers
> > >> New password:
> > >> Re-enter new password:
> > >> Password changed.
> > >
> > > The man page for login implies I should be able to set it at login time:
> > >
> > > --------------------------------
> > > If password aging has been enabled for your account, you may be
> > > prompted for a new password before proceeding. You will be forced to
> > > provide your old password and the new password before continuing.
> > > Please refer to passwd(1) for more information.
> > > --------------------------------
> > >
> > > Am I doing something wrong from a sysadmin point of view or is there
> > > some compile option that needs to be used to get the behavior that I
> > > want ?
> >
> > no you are not. This is down to the order in which login uses PAM to
> > check/change your password:
> > 1. Do you know the (current) password for this account?
> > 2. If so, We know who you are (and that you are entitled to use this
> > account) and can check your account details to set up your session.
> > Once this is done, it becomes apparent that your password has expired
> > and needs changing.
> > 3. We then go through the normal password changing routine.
> >
> >
> > what exactly were you expecting to happen?
> >
> > You type in an account name and immediately get told that the password
> > has expired?
> > This is a security flaw, as it immediately exposes the fact that you
> > have typed in a valid account name (you could be anyone trying to login).
> > Instead the system tries to authenticate you first - you are *always*
> > prompted for a password. If this fails, you (as a possible attacker)
> > don't actually know if you typed an incorrect username or an incorrect
> > password. (or failed for some other reason). All you get is 'login
> > incorrect'
> >
> > Regards,
> >
> > Stuart
>
More information about the fedora-list
mailing list