[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Howto disable password changes for kerberos setups


we manage all passwords (kerberos ) in our institute with an extra tool.
The expired passwords have also to be renewed with this tool.

So i remove the password section completly form the pam config
but I still get the following lines when I login via ssh
with an expired password. 

WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user expuser.
passwd: Permission denied
Connection to testnode closed.

I look for an pam config which handle the expired status like an disabled account
or an wrong password without the message "Changing password for user expuser.
passwd: Permission denied" lines



OS: Rhel-clone 6.5 (scientific Linux)

Package Version:

In the pam log I see:
pam_krb5[18333]: account checks fail for 'expuser': password has expired
pam_krb5[18333]: pam_acct_mgmt returning 12 (Authentication token is no longer valid; new one required)
Accepted password for expuser from 131.w.x.y port 49334 ssh2
pam_krb5[18333]: default/local realm 'TEST.NET'
pam_krb5[18333]: configured realm 'TEST.NET'
pam_krb5[18333]: flag: debug
pam_krb5[18333]: flags: forwardable not proxiable
pam_krb5[18333]: flag: no ignore_afs
pam_krb5[18333]: flag: no null_afs
pam_krb5[18333]: flag: tokens
pam_krb5[18333]: flag: no cred_session
pam_krb5[18333]: flag: user_check
pam_krb5[18333]: flag: no krb4_convert
pam_krb5[18333]: flag: krb4_convert_524
pam_krb5[18333]: flag: krb4_use_as_req
pam_krb5[18333]: will try previously set password first
pam_krb5[18333]: will ask for a password if that fails
pam_krb5[18333]: will let libkrb5 ask questions
pam_krb5[18333]: flag: use_shmem
pam_krb5[18333]: flag: external
pam_krb5[18333]: flag: no multiple_ccaches
pam_krb5[18333]: flag: warn
pam_krb5[18333]: ticket lifetime: 86400s (1d,0h,0m,0s)
pam_krb5[18333]: renewable lifetime: 172800s (2d,0h,0m,0s)
pam_krb5[18333]: minimum uid: 0
pam_krb5[18333]: banner: Kerberos 5
pam_krb5[18333]: ccache dir: /xyz
pam_krb5[18333]: ccname template: FILE:%d/krb5cc_%U_XXXXXX
pam_krb5[18333]: keytab: FILE:/etc/krb5.keytab
pam_krb5[18333]: token strategy: v4,524,2b,rxk5
pam_krb5[18333]: afs cell: test.net
pam_krb5[18333]: no v5 creds for user 'expuser', skipping session setup
pam_krb5[18333]: pam_sm_open_session returning 0 (Success)
pam_unix(sshd:session): session opened for user expuser by (uid=0)
Received disconnect from 131.w.x.y: 11: disconnected by user
pam_krb5[18333]: no v5 creds for user 'expuser', skipping session cleanup
pam_krb5[18333]: pam_sm_close_session returning 0 (Success)
pam_unix(sshd:session): session closed for user expuser

pam config:
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth    sufficient      pam_krb5.so     use_first_pass
auth        required      pam_deny.so

account required        pam_access.so debug
account     required      pam_unix.so   broken_shadow debug
account     sufficient    pam_localuser.so debug
account     sufficient    pam_succeed_if.so uid < 500 quiet debug
account [default=bad success=ok user_unknown=ignore]   pam_krb5.so debug
account     required      pam_permit.so debug

#password    requisite     pam_cracklib.so try_first_pass retry=3 type=
#password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
#password       sufficient      pam_krb5.so     use_authtok
#password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so debug
session     optional      pam_krb5.so debug

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]