[rhn-users] force user to change password on first login
Raj Kumar
rajkum2002 at rediffmail.com
Sat Feb 19 17:44:18 UTC 2005
Hi Richard,
/etc/pam.d/system-auth is another file to compare.
Do you use pam_unix or pam_unix2?
more system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
-----------------------
error messages in /var/log/message:
sshd(pam_unix)[12002]: expired password for user user1 (root enforced)
sshd(pam_unix)[12004]: session opened for user user1 by (uid=501)
sshd(pam_unix)[12004]: session closed for user user1
But what is confusing is both /etc/pam.d/su and sshd references system-auth for auth and account. So why does su work but sshd fail?
Thanks again for your help!
Raj
On Sat, 19 Feb 2005 Raj Kumar wrote :
>Hi Richard,
>
>I also tried this now
>/usr/bin/chage -d 0 -W -1 -E -1 -I -1 -M -1 -m -1 user1
>
>It still doesn't work. After executing the above command chage -l user1 reports:
>
>Minimum: -1
>Maximum: -1
>Warning: -1
>Inactive: -1
>Last Change: Never
>Password Expires: Never
>Password Inactive: Never
>Account Expires: Never
>
>Do you get similar output? What ssh client are you using? I tried with Mindterm, openssh client installed on linux and ssh client installed with cygwin. They all don't work. I get the error message and the connection is terminated immediately. But if I login as user2 and then try "su user1" I get the error message and then the prompt to change password (similar to the prompts you get when passwd is run).
>
>Since it works with su and not with ssh and the authentication process goes through PAM I wonder if you have different settings. Can you post your PAM version, /etc/pam.d/su and /etc/pam.d/sshd files?
>We should probably compare the module-type "account" settings in these files. I dont see the difference in account modules in my /etc/pam.d/su and /etc/pam.d/sshd/ files
>
>
> more /etc/pam.d/su
>
>#%PAM-1.0
>auth sufficient /lib/security/$ISA/pam_rootok.so
># Uncomment the following line to implicitly trust users in the "wheel" group.
>#auth sufficient /lib/security/$ISA/pam_wheel.so trust use_uid
># Uncomment the following line to require a user to be in the "wheel" group.
>#auth required /lib/security/$ISA/pam_wheel.so use_uid
>auth required /lib/security/$ISA/pam_stack.so service=system-auth
>account required /lib/security/$ISA/pam_stack.so service=system-auth
>password required /lib/security/$ISA/pam_stack.so service=system-auth
>session required /lib/security/$ISA/pam_stack.so service=system-auth
>session optional /lib/security/$ISA/pam_xauth.so
>
>---------------------------------------------------------------
>
>more /etc/pam.d/sshd
>
>#%PAM-1.0
>auth required pam_stack.so service=system-auth
>auth required pam_nologin.so
>account required pam_stack.so service=system-auth
>password required pam_stack.so service=system-auth
>session required pam_stack.so service=system-auth
>session required pam_limits.so
>session optional pam_console.so
>
>
>Thanks for your help!
>Raj
>
>
>On Sat, 19 Feb 2005 Richard Lefebvre wrote :
> >It seems to work for me, I do put everything else to -1:
> >
> >/usr/bin/chage -d 0 -W -1 -E -1 -I -1 -M -1 -m -1 user1
> >
> >Also, I don't permit login via telnet, or rlogin only ssh
> >
> >
> >Raj Kumar wrote:
> >> Hi Richard!
> >>
> >>I tried that before. The error message I get is
> >> You are required to change your password immediately (root enforced)
> >>Your password has expired, the session cannot proceed.
> >>Connection to testserver closed
> >>
> >>The user does not get to the prompt to change password. How else can he change the password if he doesnt have access to the shell?
> >>
> >>thank you,
> >>Raj
> >>
> >>
> >>
> >>On Fri, 18 Feb 2005 Richard Lefebvre wrote :
> >> >"chage -d 0 user1" should do the trick.
> >> >
> >> >Richard
> >> >
> >> >Raj Kumar wrote:
> >> >>Hi Mike,
> >> >>
> >> >>I logged in as user1 today and I did not get any warnings. So "passwd -f user1" does not force the user to change password after 24Hrs.
> >> >>
> >> >>Are there any other options to force the user to change their passwords at first logon?
> >> >>
> >> >>Thank you,
> >> >>Raj
> >> >>
> >> >>
> >>
> >>
> >>
> >><http://clients.rediff.com/signature/track_sig.asp>
>_______________________________________________
>rhn-users mailing list
>rhn-users at redhat.com
>https://www.redhat.com/mailman/listinfo/rhn-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/rhn-users/attachments/20050219/2df692d6/attachment.htm>
More information about the rhn-users
mailing list