[Freeipa-users] Do expired passwords remain usable indefinitely?

Tue Oct 25 07:54:37 UTC 2016

On 25/10/2016 00:02, Prasun Gera wrote:
> I've seen some different behaviour. I've had errors for users 
> (including the admin user) trying to log in with possibly an expired 
> password. Both webui and ssh would fail, but kinit would work. I'm not 
> sure if this is related to the password's expiration or the account's 
> expiration. My /var/log/secure has messages like "pam_sss(sshd:auth): 
> received for user uname: 13 (User account has expired)". Is there a 
> setting for default expiration of user accounts ? I don't remember 
> setting it anywhere.

By "account expiration" do you mean the "--principal-expiration" option 
to ipa user-xxx? Or is there another setting?

Code 13 is PAM_ACCT_EXPIRED, at least in the "new" constants

$ egrep '\b13\b' /usr/include/security/*pam*
/usr/include/security/_pam_compat.h:# define PAM_USER_UNKNOWN     13
/usr/include/security/_pam_types.h:#define PAM_ACCT_EXPIRED 13    /* 
User account has expired */
/usr/include/security/_pam_types.h:#define PAM_AUTHTOK_TYPE   13 /* The 
type for pam_get_authtok */

This to me implies it's not looking at the krbPasswordExpiration 
attribute, because it could (or should) use PAM_AUTHTOK_EXPIRED (27) for 
that instead.

For me, pam_sss seems to handle expiry correctly. For example if I reset 
an account password (which in turn causes it to expire immediately), and 
then someone logs in their ssh private key, and subsequently does 
"sudo", sudo prompts them for the password, tells them it has expired, 
but gives them the opportunity to change it.

However it's not impossible that the PAM module has some buried logic, 
e.g. it refuses to use a password which expired more than X days ago. 
That was the reason for my original question.  I guess I should try 
setting some expiry date way in the past.

The other thing is to look in the source code for pam_sss to see under 
which conditions it returns PAM_ACCT_EXPIRED.  The answer is: when it 
gets ERR_ACCOUNT_EXPIRED from parse_krb5_child_response. Which in turn 
is when we get KRB5KDC_ERR_NAME_EXP from Kerberos. Which in turn is 
"Client's entry in database has expired".

http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-admin/Kerberos-V5-Library-Error-Codes.html

But as has already been said - if the *principal* has expired you 
shouldn't be able to login with kinit at all.

Regards,

Brian.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161025/d9a168b0/attachment.htm>