[rhn-users] force user to change password on first login

Raj Kumar rajkum2002 at rediffmail.com
Sat Feb 19 17:27:48 UTC 2005 

Hi Richard,

I also tried this now
/usr/bin/chage -d 0 -W -1 -E -1 -I -1 -M -1 -m -1 user1

It still doesn't work. After executing the above command  chage -l user1 reports:

Minimum:        -1
Maximum:        -1
Warning:        -1
Inactive:       -1
Last Change:            Never
Password Expires:       Never
Password Inactive:      Never
Account Expires:        Never
  
Do you get similar output? What ssh client are you using? I tried with Mindterm, openssh client installed on linux and ssh client installed with cygwin. They all don't work. I get the error message and the connection is terminated immediately. But if I login as user2 and then try "su user1" I get the error message and then the prompt to change password (similar to the prompts you get when passwd is run).

Since it works with su and not with ssh and the authentication process goes through PAM I wonder if you have different settings. Can you post your PAM version, /etc/pam.d/su and /etc/pam.d/sshd files?
We should probably compare the module-type "account" settings in these files. I dont see the difference in account modules in my /etc/pam.d/su and /etc/pam.d/sshd/ files


 more /etc/pam.d/su

#%PAM-1.0
auth       sufficient   /lib/security/$ISA/pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth       sufficient   /lib/security/$ISA/pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth       required     /lib/security/$ISA/pam_wheel.so use_uid
auth       required     /lib/security/$ISA/pam_stack.so service=system-auth
account    required     /lib/security/$ISA/pam_stack.so service=system-auth
password   required     /lib/security/$ISA/pam_stack.so service=system-auth
session    required     /lib/security/$ISA/pam_stack.so service=system-auth
session    optional     /lib/security/$ISA/pam_xauth.so

---------------------------------------------------------------

more /etc/pam.d/sshd

#%PAM-1.0
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    required     pam_limits.so
session    optional     pam_console.so


Thanks for your help!
Raj


On Sat, 19 Feb 2005 Richard Lefebvre wrote :
>It seems to work for me, I do put everything else to -1:
>
>/usr/bin/chage -d 0 -W -1 -E -1 -I -1 -M -1 -m -1 user1
>
>Also, I don't permit login via telnet, or rlogin only ssh
>
>
>Raj Kumar wrote:
>>   Hi Richard!
>>
>>I tried that before. The error message I get is
>>  You are required to change your password immediately (root enforced)
>>Your password has expired, the session cannot proceed.
>>Connection to testserver closed
>>
>>The user does not get to the prompt to change password. How else can he change the password if he doesnt have access to the shell?
>>
>>thank you,
>>Raj
>>
>>
>>
>>On Fri, 18 Feb 2005 Richard Lefebvre wrote :
>>  >"chage -d 0 user1" should do the trick.
>>  >
>>  >Richard
>>  >
>>  >Raj Kumar wrote:
>>  >>Hi Mike,
>>  >>
>>  >>I logged in as user1 today and I did not get any warnings. So "passwd -f user1" does not force the user to change password after 24Hrs.
>>  >>
>>  >>Are there any other options to force the user to change their passwords at first logon?
>>  >>
>>  >>Thank you,
>>  >>Raj
>>  >>
>>  >>
>>
>>
>>
>><http://clients.rediff.com/signature/track_sig.asp>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/rhn-users/attachments/20050219/ff0d03c5/attachment.htm>

More information about the rhn-users mailing list