[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pam_passwdqc, ssh and expired passwords



Hi

Thanks for the reply - well I can change my password as either myself or
root:

johnw@dawkins% passwd johnw
Enter current password:

You can now choose the new password.

A valid password should be a mix of upper and lower case letters,
digits and other characters.  You can use an 8 character long
password with characters from at least 3 of these 4 classes, or
a 7 character long password containing characters from all the
classes.  Characters that form a common pattern are discarded by
the check.

Enter new password:
Re-type new password:
passwd (SYSTEM): passwd successfully changed for johnw

AND

root@dawkins# passwd johnw

You can now choose the new password.

A valid password should be a mix of upper and lower case letters,
digits and other characters.  You can use an 8 character long
password with characters from at least 3 of these 4 classes, or
a 7 character long password containing characters from all the
classes.  Characters that form a common pattern are discarded by
the check.

Enter new password:
Re-type new password:
passwd (SYSTEM): passwd successfully changed for johnw

so, it looks like that is working OK.

If I try & login with telnet, I get a similar effort:

% telnet dawkins

Connected to dawkins.
Escape character is '^]'.

SunOS 5.8
login: johnw
Password:
Choose a new password.

You can now choose the new password.

A valid password should be a mix of upper and lower case letters,
digits and other characters.  You can use an 8 character long
password with characters from at least 3 of these 4 classes, or
a 7 character long password containing characters from all the
classes.  Characters that form a common pattern are discarded by
the check.

Enter new password:
Re-type new password:
telnet(SYSTEM): Sorry.
Connection closed by foreign host.

Jun 27 16:14:29 dawkins login: [ID 308033 auth.debug] pam_acct_mgmt: error
Get new authentication token
Jun 27 16:14:36 dawkins login: [ID 125209 auth.debug] pam_chauthtok: error
Authentication token manipulation error
Jun 27 16:14:36 dawkins login: [ID 376080 auth.crit] change password
failure: Authentication token manipulation error

So this is not limited to SSH

Hope this helps pin the issue

Thanks

John



                                                                                                                   
                    Solar                                                                                          
                    Designer             To:     pam-list@redhat.com                                               
                    <solar@openwa        cc:     John Warburton <John.Warburton@asic.gov.au>                       
                    ll.com>              Fax to:                                                                   
                                         Subject:     Re: pam_passwdqc, ssh and expired passwords                  
                    26/06/2002                                                                                     
                    09:52 PM                                                                                       
                                                                                                                   
                                                                                                                   
                                                                                                                   
                                                                                                                   




***
This email message has been processed by MIMEsweeper
***

On Wed, Jun 26, 2002 at 04:09:20PM +1000, John Warburton wrote:

Hi John,

> I have installed pam_passwdqc 0.5 on my Solaris 2.8 box (latest
recommended
> patches, Netra T1, Ultra SPARC II). I am testing this with openssh-3.1p1
> (yes I am configuring the latest openssh), and am having issues with
> accounts whose passwords have aged.

(BTW, the changing of expired passwords via PAM is gone with OpenSSH
3.3p1, will hopefully be re-added in future versions.)

> The config:
>
> /etc/pam.conf
> login   auth required   /usr/lib/security/$ISA/pam_unix.so.1
> other   auth required   /usr/lib/security/$ISA/pam_unix.so.1
> login   account requisite       /usr/lib/security/$ISA/pam_roles.so.1
> login   account required        /usr/lib/security/$ISA/pam_projects.so.1
> login   account required        /usr/lib/security/$ISA/pam_unix.so.1
> other   account requisite       /usr/lib/security/$ISA/pam_roles.so.1
> other   account required        /usr/lib/security/$ISA/pam_projects.so.1
> other   account required        /usr/lib/security/$ISA/pam_unix.so.1
> other   session required        /usr/lib/security/$ISA/pam_unix.so.1
> other   password required       /usr/lib/security/$ISA/pam_passwdqc.so
> ask_oldauthtok=update check_oldauthtok passphrase=0 max=8 enforce=users
> other   password required       /usr/lib/security/$ISA/pam_unix.so.1
> use_first_pass
>
> The login attempt
>
> johnw@singer% ssh dawkins
> *******************************************************************
> *                                                                 *
> *         This service is for authorised ASIC users only.         *
> *            UNAUTHORISED ACCESS STRICTLY PROHIBITED.             *
> *                                                                 *
> *******************************************************************
> johnw@dawkins's password:
> Warning: Your password has expired, please change it now
>
> You can now choose the new password.
>
> A valid password should be a mix of upper and lower case letters,
> digits and other characters.  You can use an 8 character long
> password with characters from at least 3 of these 4 classes, or
> a 7 character long password containing characters from all the
> classes.  Characters that form a common pattern are discarded by
> the check.
>
> Enter new password:
> Re-type new password: Connection to dawkins closed by remote host.
> Connection to dawkins closed.
>
> I cannot login with the changed password, but only with the old (which is
> expired)

Well, as you can see, pam_passwdqc hasn't asked for the old password
despite you specifying ask_oldauthtok as required for stacking with
Sun's pam_unix.  This is because pam_passwdqc tries to be smart and
not ask for the old password when it is running as root.  pam_unix
would probably do the same.  But we see that it fails, and the syslog
messages suggest that it does want to obtain the old password.

Are you able to change passwords with such a setup (with pam_passwdqc),
with passwd(1)?  When running as the user?  When running as root?

>From the information you've provided, I suspect that the latter will
fail in a similar way.  Although it worked for me.

If that is the case, I will be doing some more testing on Solaris 8
myself.

If, however, this turns out to be OpenSSH specific, I will be doing
the testing only after this stuff is introduced into OpenSSH again.
It doesn't make sense to deal with 3.1p1 issues now.

Thanks for the report!

--
/sd









  






[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []