Forcing users to change password at login - Probably "Again"
Ben Kevan
ben.kevan at gmail.com
Tue Jul 15 17:52:43 UTC 2008
On Tuesday 15 July 2008 07:25:06 am Nigel Wade wrote:
> Ben Kevan wrote:
> > And just to make me feel bad..
> >
> > chage -d 0 does what my script does.. but for some reason when you su
> > username in RHEL 4 it does not look for the expiration in /etc/shadow
>
> It does here.
> # chage -d 0 testuser2
> ...
>
> $ su - testuser2
> Password:
> You are required to change your password immediately (root enforced)
> Changing password for testuser2
> (current) UNIX password:
>
> Maybe you have modified some configuration which breaks it. Check
> /etc/pam.d/su and system-auth.
$ sudo sh createuser -u5000 -c"Test User" tuser
This is what is to be added - ok? (^C if not)
tuser::5000:100:Test User:/home/tuser:/bin/bash
User has been added to system! Remind them to change password after first
logon
$ su - tuser
Password:
[tuser]$
Here is /etc/pam.d/su
#%PAM-1.0
auth sufficient /lib/security/$ISA/pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient /lib/security/$ISA/pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required /lib/security/$ISA/pam_wheel.so use_uid
auth required /lib/security/$ISA/pam_stack.so service=system-auth
account sufficient /lib/security/$ISA/pam_succeed_if.so uid=0 use_uid
quiet
account required /lib/security/$ISA/pam_stack.so service=system-auth
password required /lib/security/$ISA/pam_stack.so service=system-auth
# pam_selinux.so close must be first session rule
session required /lib/security/$ISA/pam_selinux.so close
session required /lib/security/$ISA/pam_stack.so service=system-auth
# pam_selinux.so open and pam_xauth must be last two session rules
session required /lib/security/$ISA/pam_selinux.so open
session optional /lib/security/$ISA/pam_xauth.so
here is /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok
md5 shadow
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
What do you think? Or how are yours configured?
More information about the redhat-list
mailing list