Kerberos expired passwords
Digant C Kasundra
digant at uta.edu
Thu Dec 23 17:09:40 UTC 2004
Hello all,
I'm trying to figure out how to get pam to properly handle expired
passwords. Currently, when a user logs in with an expired password, the
system will prompt him to change his password. If the password change
is SUCCESSFUL, the system will kick him off (and he can't log in until
his password change replicates). If the password change is REJECTED,
the system will give him a session (even though /var/log/messages
clearly shows that the Kerberos server rejected the password change).
Here is the system-auth file:
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_krb5.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
account [default=bad success=ok user_unknown=ignore
service_err=ignore system_err=ignore] /lib/security/$ISA/pam_krb5.so
password required /lib/security/$ISA/pam_cracklib.so retry=3
type=
password sufficient /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_krb5.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_mkhomedir.so
skel=/etc/skel/ umask=0076
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_krb5.so
And of course, my sshd and login use pam_stack to point to it, although
I also have tried putting these contents straight into the sshd and
login files.
Having failed at this, I want to get it where when the password is
expired, the system will simply respond "Your password is expired" and
then close the session. I found a way that almost works. Using the
following setup, the system will tell me that the password is expired,
ask me to REENTER my current password, and THEN close the session. I
would like it to drop my session before asking for me to reenter the
password:
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_krb5.so use_first_pass
debug
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
account [default=bad success=ok user_unknown=ignore
service_err=ignore system_err=ignore] /lib/security/$ISA/pam_krb5.so
debug
password required /lib/security/$ISA/pam_cracklib.so retry=3
type=
password sufficient /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password [default=bad success=ok new_authtok_reqd=ok]
/lib/security/$ISA/pam_krb5.so use_authtok debug
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_mkhomedir.so
skel=/etc/skel/ umask=0076
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_krb5.so debug
What do you guys think?
-- DK
More information about the Pam-list
mailing list