Howto disable password changes for kerberos setups
Sternberger, Sven
sven.sternberger at desy.de
Mon Mar 3 10:07:22 UTC 2014
Hello!
we manage all passwords (kerberos ) in our institute with an extra tool.
The expired passwords have also to be renewed with this tool.
So i remove the password section completly form the pam config
but I still get the following lines when I login via ssh
with an expired password.
>>
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user expuser.
passwd: Permission denied
Connection to testnode closed.
<<
I look for an pam config which handle the expired status like an disabled account
or an wrong password without the message "Changing password for user expuser.
passwd: Permission denied" lines
Regards!
Sven
OS: Rhel-clone 6.5 (scientific Linux)
Package Version:
pam-1.1.1-17.el6.x86_64
pam_krb5-2.3.11-9.el6.x86_64
krb5-workstation-1.10.3-10.el6_4.6.x86_64
krb5-libs-1.10.3-10.el6_4.6.x86_64
openafs-krb5-1.6.5.1-147.sl6.x86_64
In the pam log I see:
pam_krb5[18333]: account checks fail for 'expuser': password has expired
pam_krb5[18333]: pam_acct_mgmt returning 12 (Authentication token is no longer valid; new one required)
Accepted password for expuser from 131.w.x.y port 49334 ssh2
pam_krb5[18333]: default/local realm 'TEST.NET'
pam_krb5[18333]: configured realm 'TEST.NET'
pam_krb5[18333]: flag: debug
pam_krb5[18333]: flags: forwardable not proxiable
pam_krb5[18333]: flag: no ignore_afs
pam_krb5[18333]: flag: no null_afs
pam_krb5[18333]: flag: tokens
pam_krb5[18333]: flag: no cred_session
pam_krb5[18333]: flag: user_check
pam_krb5[18333]: flag: no krb4_convert
pam_krb5[18333]: flag: krb4_convert_524
pam_krb5[18333]: flag: krb4_use_as_req
pam_krb5[18333]: will try previously set password first
pam_krb5[18333]: will ask for a password if that fails
pam_krb5[18333]: will let libkrb5 ask questions
pam_krb5[18333]: flag: use_shmem
pam_krb5[18333]: flag: external
pam_krb5[18333]: flag: no multiple_ccaches
pam_krb5[18333]: flag: warn
pam_krb5[18333]: ticket lifetime: 86400s (1d,0h,0m,0s)
pam_krb5[18333]: renewable lifetime: 172800s (2d,0h,0m,0s)
pam_krb5[18333]: minimum uid: 0
pam_krb5[18333]: banner: Kerberos 5
pam_krb5[18333]: ccache dir: /xyz
pam_krb5[18333]: ccname template: FILE:%d/krb5cc_%U_XXXXXX
pam_krb5[18333]: keytab: FILE:/etc/krb5.keytab
pam_krb5[18333]: token strategy: v4,524,2b,rxk5
pam_krb5[18333]: afs cell: test.net
pam_krb5[18333]: no v5 creds for user 'expuser', skipping session setup
pam_krb5[18333]: pam_sm_open_session returning 0 (Success)
pam_unix(sshd:session): session opened for user expuser by (uid=0)
Received disconnect from 131.w.x.y: 11: disconnected by user
...
pam_krb5[18333]: no v5 creds for user 'expuser', skipping session cleanup
pam_krb5[18333]: pam_sm_close_session returning 0 (Success)
pam_unix(sshd:session): session closed for user expuser
pam config:
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so use_first_pass
auth required pam_deny.so
account required pam_access.so debug
account required pam_unix.so broken_shadow debug
account sufficient pam_localuser.so debug
account sufficient pam_succeed_if.so uid < 500 quiet debug
account [default=bad success=ok user_unknown=ignore] pam_krb5.so debug
account required pam_permit.so debug
#password requisite pam_cracklib.so try_first_pass retry=3 type=
#password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
#password sufficient pam_krb5.so use_authtok
#password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so debug
session optional pam_krb5.so debug
More information about the Pam-list
mailing list