[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Redhat pam_krb5 and password expiry.



Hello,

Sorry if this is a repeat but I couldn't find this in the archives:

We are using RedHat 7.2 with all latest patches and
pam_krb5-1.46-1 with krb5-*-1.2.2-14.

Pam works just fine with the exception of forcing password
expiry. I understand this is difficult with PAM as krb5 demands
a new password before authentication can complete.

Has anyone had success in getting password expiry working in
this environment ?

I've tried both the default installed /etc/pam.d/login (the login
method I'm using to test is telnetd with login) and some of the samples
in /usr/share/doc/pam_krb5/pam.d and both cause an abort in authentication
when the password is expired and no 'enter new password' prompt is given.
debug log:

--------------------------------
Aug 28 08:13:40 host login[30906]: pam_krb5: attempting to authenticate
`user'
Aug 28 08:13:40 host login[30906]: pam_krb5: get_int_tkt returned
Password has expired
Aug 28 08:13:40 host login[30906]: pam_krb5: authenticate error:
Password has
expired (-1765328361)
Aug 28 08:13:40 host login[30906]: pam_krb5: authentication fails for
`user'
Aug 28 08:13:40 host login[30906]: pam_krb5: pam_sm_authenticate
returning 12
(Authentication token is no longer valid; new one required.)
Aug 28 08:13:42 host login[30906]: FAILED LOGIN SESSION FROM
host.domain.ca FOR user, Authentication token is no longer valid; new one
required.

----------------------------------

When I try my own bare-bones pam.d/login, I get a 'Enter new password'
prompt but it ends up in an endless loop of the two password prompts:

Kernel 2.4.9-34smp on an i686
login: user
Password:
Enter new password:
Enter it again:
Enter new password:
Enter it again:
and so on...

There is nothing wrong with the password I'm choosing as it meets all
of the policy criteria. The debug log doesn't reveal anything beyond the
following line:

Aug 28 08:22:23 hostname login: pam_krb5: attempting to authenticate
`user'

My pam.d/login:

auth       required     /lib/security/pam_securetty.so
auth       required     /lib/security/pam_krb5.so debug
auth       required     /lib/security/pam_nologin.so
account    required     /lib/security/pam_unix.so
session    required     /lib/security/pam_unix.so

Any suggestions are appreciated.
Mike.






[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []