[rhn-users] force user to change password on first login
Raj Kumar
rajkum2002 at rediffmail.com
Sat Feb 19 17:27:48 UTC 2005
Hi Richard,
I also tried this now
/usr/bin/chage -d 0 -W -1 -E -1 -I -1 -M -1 -m -1 user1
It still doesn't work. After executing the above command chage -l user1 reports:
Minimum: -1
Maximum: -1
Warning: -1
Inactive: -1
Last Change: Never
Password Expires: Never
Password Inactive: Never
Account Expires: Never
Do you get similar output? What ssh client are you using? I tried with Mindterm, openssh client installed on linux and ssh client installed with cygwin. They all don't work. I get the error message and the connection is terminated immediately. But if I login as user2 and then try "su user1" I get the error message and then the prompt to change password (similar to the prompts you get when passwd is run).
Since it works with su and not with ssh and the authentication process goes through PAM I wonder if you have different settings. Can you post your PAM version, /etc/pam.d/su and /etc/pam.d/sshd files?
We should probably compare the module-type "account" settings in these files. I dont see the difference in account modules in my /etc/pam.d/su and /etc/pam.d/sshd/ files
more /etc/pam.d/su
#%PAM-1.0
auth sufficient /lib/security/$ISA/pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient /lib/security/$ISA/pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required /lib/security/$ISA/pam_wheel.so use_uid
auth required /lib/security/$ISA/pam_stack.so service=system-auth
account required /lib/security/$ISA/pam_stack.so service=system-auth
password required /lib/security/$ISA/pam_stack.so service=system-auth
session required /lib/security/$ISA/pam_stack.so service=system-auth
session optional /lib/security/$ISA/pam_xauth.so
---------------------------------------------------------------
more /etc/pam.d/sshd
#%PAM-1.0
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session required pam_limits.so
session optional pam_console.so
Thanks for your help!
Raj
On Sat, 19 Feb 2005 Richard Lefebvre wrote :
>It seems to work for me, I do put everything else to -1:
>
>/usr/bin/chage -d 0 -W -1 -E -1 -I -1 -M -1 -m -1 user1
>
>Also, I don't permit login via telnet, or rlogin only ssh
>
>
>Raj Kumar wrote:
>> Hi Richard!
>>
>>I tried that before. The error message I get is
>> You are required to change your password immediately (root enforced)
>>Your password has expired, the session cannot proceed.
>>Connection to testserver closed
>>
>>The user does not get to the prompt to change password. How else can he change the password if he doesnt have access to the shell?
>>
>>thank you,
>>Raj
>>
>>
>>
>>On Fri, 18 Feb 2005 Richard Lefebvre wrote :
>> >"chage -d 0 user1" should do the trick.
>> >
>> >Richard
>> >
>> >Raj Kumar wrote:
>> >>Hi Mike,
>> >>
>> >>I logged in as user1 today and I did not get any warnings. So "passwd -f user1" does not force the user to change password after 24Hrs.
>> >>
>> >>Are there any other options to force the user to change their passwords at first logon?
>> >>
>> >>Thank you,
>> >>Raj
>> >>
>> >>
>>
>>
>>
>><http://clients.rediff.com/signature/track_sig.asp>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/rhn-users/attachments/20050219/ff0d03c5/attachment.htm>
More information about the rhn-users
mailing list