Forcing users to change password at login - Probably "Again"
Nigel Wade
nmw at ion.le.ac.uk
Thu Jul 17 10:17:46 UTC 2008
Ben Kevan wrote:
> On Tuesday 15 July 2008 07:25:06 am Nigel Wade wrote:
>> Ben Kevan wrote:
>>> And just to make me feel bad..
>>>
>>> chage -d 0 does what my script does.. but for some reason when you su
>>> username in RHEL 4 it does not look for the expiration in /etc/shadow
>> It does here.
>> # chage -d 0 testuser2
>> ...
>>
>> $ su - testuser2
>> Password:
>> You are required to change your password immediately (root enforced)
>> Changing password for testuser2
>> (current) UNIX password:
>>
>> Maybe you have modified some configuration which breaks it. Check
>> /etc/pam.d/su and system-auth.
>
>
> $ sudo sh createuser -u5000 -c"Test User" tuser
> This is what is to be added - ok? (^C if not)
> tuser::5000:100:Test User:/home/tuser:/bin/bash
>
> User has been added to system! Remind them to change password after first
> logon
> $ su - tuser
> Password:
> [tuser]$
>
> Here is /etc/pam.d/su
> #%PAM-1.0
> auth sufficient /lib/security/$ISA/pam_rootok.so
> # Uncomment the following line to implicitly trust users in the "wheel" group.
> #auth sufficient /lib/security/$ISA/pam_wheel.so trust use_uid
> # Uncomment the following line to require a user to be in the "wheel" group.
> #auth required /lib/security/$ISA/pam_wheel.so use_uid
> auth required /lib/security/$ISA/pam_stack.so service=system-auth
> account sufficient /lib/security/$ISA/pam_succeed_if.so uid=0 use_uid
> quiet
> account required /lib/security/$ISA/pam_stack.so service=system-auth
> password required /lib/security/$ISA/pam_stack.so service=system-auth
> # pam_selinux.so close must be first session rule
> session required /lib/security/$ISA/pam_selinux.so close
> session required /lib/security/$ISA/pam_stack.so service=system-auth
> # pam_selinux.so open and pam_xauth must be last two session rules
> session required /lib/security/$ISA/pam_selinux.so open
> session optional /lib/security/$ISA/pam_xauth.so
>
> here is /etc/pam.d/system-auth
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth required /lib/security/$ISA/pam_env.so
> auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
> auth required /lib/security/$ISA/pam_deny.so
>
> account required /lib/security/$ISA/pam_unix.so
> account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
> account required /lib/security/$ISA/pam_permit.so
>
> password requisite /lib/security/$ISA/pam_cracklib.so retry=3
> password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok
> md5 shadow
> password required /lib/security/$ISA/pam_deny.so
>
> session required /lib/security/$ISA/pam_limits.so
> session required /lib/security/$ISA/pam_unix.so
>
> What do you think? Or how are yours configured?
>
Using su or su - works here. The testuser2 entry in shadow is:
testuser2:xxxx:14075:0:0:7::14077:
There are some differences in my PAM configs, mostly due to me using
LDAP for authentication, but some may be significant. I have pam_passwdqc rather than
pam_cracklib for example.
My system-auth is:
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so broken_shadow
account sufficient /lib/security/$ISA/pam_localuser.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100
quiet
account [default=bad success=ok user_unknown=ignore]
/lib/security/$ISA/pam_ldap.so
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_passwdqc.so
min=disabled,disabled,12,7,7
password sufficient /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_ldap.so
session required /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel/
and the su file is:
auth sufficient /lib/security/$ISA/pam_rootok.so
auth required /lib/security/$ISA/pam_stack.so service=system-auth
account required /lib/security/$ISA/pam_stack.so service=system-auth
password required /lib/security/$ISA/pam_stack.so service=system-auth
session required /lib/security/$ISA/pam_selinux.so close
session required /lib/security/$ISA/pam_stack.so service=system-auth
session required /lib/security/$ISA/pam_selinux.so open multiple
session optional /lib/security/$ISA/pam_xauth.so
--
Nigel Wade, System Administrator, Space Plasma Physics Group,
University of Leicester, Leicester, LE1 7RH, UK
E-mail : nmw at ion.le.ac.uk
Phone : +44 (0)116 2523548, Fax : +44 (0)116 2523555
More information about the redhat-list
mailing list