Kerberos expired passwords

Digant C Kasundra digant at uta.edu
Thu Dec 23 17:09:40 UTC 2004 

Hello all,

I'm trying to figure out how to get pam to properly handle expired
passwords.  Currently, when a user logs in with an expired password, the
system will prompt him to change his password.  If the password change
is SUCCESSFUL, the system will kick him off (and he can't log in until
his password change replicates).  If the password change is REJECTED,
the system will give him a session (even though /var/log/messages
clearly shows that the Kerberos server rejected the password change).

Here is the system-auth file:

auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_krb5.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so
 
account     required      /lib/security/$ISA/pam_unix.so
account     [default=bad success=ok user_unknown=ignore
service_err=ignore system_err=ignore] /lib/security/$ISA/pam_krb5.so
 
password    required      /lib/security/$ISA/pam_cracklib.so retry=3
type=
password    sufficient    /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password    sufficient    /lib/security/$ISA/pam_krb5.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so
 
session     required      /lib/security/$ISA/pam_mkhomedir.so
skel=/etc/skel/ umask=0076
session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_krb5.so


And of course, my sshd and login use pam_stack to point to it, although
I also have tried putting these contents straight into the sshd and
login files.

Having failed at this, I want to get it where when the password is
expired, the system will simply respond "Your password is expired" and
then close the session.  I found a way that almost works.  Using the
following setup, the system will tell me that the password is expired,
ask me to REENTER my current password, and THEN close the session.  I
would like it to drop my session before asking for me to reenter the
password:

auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_krb5.so use_first_pass
debug
auth        required      /lib/security/$ISA/pam_deny.so
 
account     required      /lib/security/$ISA/pam_unix.so
account     [default=bad success=ok user_unknown=ignore
service_err=ignore system_err=ignore] /lib/security/$ISA/pam_krb5.so
debug
 
password    required      /lib/security/$ISA/pam_cracklib.so retry=3
type=
password    sufficient    /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password    [default=bad success=ok new_authtok_reqd=ok]   
/lib/security/$ISA/pam_krb5.so use_authtok debug
password    required      /lib/security/$ISA/pam_deny.so
 
session     required      /lib/security/$ISA/pam_mkhomedir.so
skel=/etc/skel/ umask=0076
session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_krb5.so debug


What do you guys think?

-- DK

More information about the Pam-list mailing list