[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

pam_passwdqc, ssh and expired passwords



Hi

I have installed pam_passwdqc 0.5 on my Solaris 2.8 box (latest recommended
patches, Netra T1, Ultra SPARC II). I am testing this with openssh-3.1p1
(yes I am configuring the latest openssh), and am having issues with
accounts whose passwords have aged.

The config:

/etc/pam.conf
login   auth required   /usr/lib/security/$ISA/pam_unix.so.1
other   auth required   /usr/lib/security/$ISA/pam_unix.so.1
login   account requisite       /usr/lib/security/$ISA/pam_roles.so.1
login   account required        /usr/lib/security/$ISA/pam_projects.so.1
login   account required        /usr/lib/security/$ISA/pam_unix.so.1
other   account requisite       /usr/lib/security/$ISA/pam_roles.so.1
other   account required        /usr/lib/security/$ISA/pam_projects.so.1
other   account required        /usr/lib/security/$ISA/pam_unix.so.1
other   session required        /usr/lib/security/$ISA/pam_unix.so.1
other   password required       /usr/lib/security/$ISA/pam_passwdqc.so
ask_oldauthtok=update check_oldauthtok passphrase=0 max=8 enforce=users
other   password required       /usr/lib/security/$ISA/pam_unix.so.1
use_first_pass

The login attempt

johnw@singer% ssh dawkins
*******************************************************************
*                                                                 *
*         This service is for authorised ASIC users only.         *
*            UNAUTHORISED ACCESS STRICTLY PROHIBITED.             *
*                                                                 *
*******************************************************************
johnw@dawkins's password:
Warning: Your password has expired, please change it now

You can now choose the new password.

A valid password should be a mix of upper and lower case letters,
digits and other characters.  You can use an 8 character long
password with characters from at least 3 of these 4 classes, or
a 7 character long password containing characters from all the
classes.  Characters that form a common pattern are discarded by
the check.

Enter new password:
Re-type new password: Connection to dawkins closed by remote host.
Connection to dawkins closed.

I cannot login with the changed password, but only with the old (which is
expired)

and the syslog entries:

Jun 26 16:07:52 dawkins sshd[2753]: [ID 308033 auth.debug] pam_acct_mgmt:
error Get new authentication token
Jun 26 16:07:52 dawkins sshd[2753]: [ID 800047 auth.info] Accepted password
for johnw from 10.10.10.100 port 38439 ssh2
Jun 26 16:07:58 dawkins sshd[2755]: [ID 125209 auth.debug] pam_chauthtok:
error Authentication token manipulation error
Jun 26 16:07:58 dawkins sshd[2755]: [ID 800047 auth.crit] fatal: PAM
pam_chauthtok failed[20]: Authentication token manipulation error

I see the error in pam_chauthtok, but have no idea how to debug further to
get more information.

Any pointers as to what I am doing wrong would be appreciated.

Thanks

John




  






[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []