[Freeipa-users] Error changing expired user password using SSH

Dan Scott danieljamesscott at gmail.com
Mon Nov 8 20:04:39 UTC 2010 

Hi,

I'm having problems with users accessing their accounts for the first
time using SSH. I create their account in FreeIPA and set a (expired)
password. Then I have them ssh into one of our computers to setup
their password. The connection displays the following:

djscott at pc35:~$ ssh guser at pc20
guser at pc20's password:
Warning: Your password will expire in less than one hour.
Warning: password has expired.
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user guser.
Kerberos 5 Password:
Warning: Your password will expire in less than one hour.
New password:
Retype new password:
passwd: Authentication token manipulation error
Connection to pc20 closed.

And the password change fails. Here is the relevant section from the
Kerberos logfile. There is no entry in the LDAP log in dirsrv.

Nov 08 14:48:21 fileserver2.example.com krb5kdc[1246](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 192.168.1.20: CLIENT KEY EXPIRED:
guser at EXAMPLE.COM for krbtgt/EXAMPLE.COM at EXAMPLE.COM, Password has
expired
Nov 08 14:48:21 fileserver2.example.com krb5kdc[1246](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 192.168.1.20: NEEDED_PREAUTH:
guser at EXAMPLE.COM for kadmin/changepw at EXAMPLE.COM, Additional
pre-authentication required
Nov 08 14:48:22 fileserver2.example.com krb5kdc[1246](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 192.168.1.20: ISSUE: authtime 1289245702,
etypes {rep=18 tkt=18 ses=18}, guser at EXAMPLE.COM for
kadmin/changepw at EXAMPLE.COM
Nov 08 14:48:23 fileserver2.example.com krb5kdc[1246](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 192.168.1.20: NEEDED_PREAUTH:
guser at EXAMPLE.COM for kadmin/changepw at EXAMPLE.COM, Additional
pre-authentication required
Nov 08 14:48:23 fileserver2.example.com krb5kdc[1246](info): AS_REQ (7
etypes {18 17 16 23 1 3 2}) 192.168.1.20: ISSUE: authtime 1289245703,
etypes {rep=18 tkt=18 ses=18}, guser at EXAMPLE.COM for
kadmin/changepw at EXAMPLE.COM

This appears to work fine when using kinit to login for the first
time. Shouldn't it work using SSH too? This will be a problem for our
remote users, since they have to connect remotely, using SSH.

Thanks,

Dan Scott

More information about the Freeipa-users mailing list