[rhn-users] force user to change password on first login

Raj Kumar rajkum2002 at rediffmail.com
Sat Feb 19 17:44:18 UTC 2005 

Hi Richard,

/etc/pam.d/system-auth is another file to compare.
Do you use pam_unix or pam_unix2?

  
more system-auth 
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so

password    required      /lib/security/$ISA/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so

-----------------------
error messages in /var/log/message:
sshd(pam_unix)[12002]: expired password for user user1 (root enforced)
sshd(pam_unix)[12004]: session opened for user user1 by (uid=501)
sshd(pam_unix)[12004]: session closed for user user1

But what is confusing is both /etc/pam.d/su and sshd references system-auth for auth and account. So why does su work but sshd fail?

Thanks again for your help!

Raj

On Sat, 19 Feb 2005 Raj  Kumar wrote :
>Hi Richard,
>
>I also tried this now
>/usr/bin/chage -d 0 -W -1 -E -1 -I -1 -M -1 -m -1 user1
>
>It still doesn't work. After executing the above command  chage -l user1 reports:
>
>Minimum:        -1
>Maximum:        -1
>Warning:        -1
>Inactive:       -1
>Last Change:            Never
>Password Expires:       Never
>Password Inactive:      Never
>Account Expires:        Never
>
>Do you get similar output? What ssh client are you using? I tried with Mindterm, openssh client installed on linux and ssh client installed with cygwin. They all don't work. I get the error message and the connection is terminated immediately. But if I login as user2 and then try "su user1" I get the error message and then the prompt to change password (similar to the prompts you get when passwd is run).
>
>Since it works with su and not with ssh and the authentication process goes through PAM I wonder if you have different settings. Can you post your PAM version, /etc/pam.d/su and /etc/pam.d/sshd files?
>We should probably compare the module-type "account" settings in these files. I dont see the difference in account modules in my /etc/pam.d/su and /etc/pam.d/sshd/ files
>
>
>  more /etc/pam.d/su
>
>#%PAM-1.0
>auth       sufficient   /lib/security/$ISA/pam_rootok.so
># Uncomment the following line to implicitly trust users in the "wheel" group.
>#auth       sufficient   /lib/security/$ISA/pam_wheel.so trust use_uid
># Uncomment the following line to require a user to be in the "wheel" group.
>#auth       required     /lib/security/$ISA/pam_wheel.so use_uid
>auth       required     /lib/security/$ISA/pam_stack.so service=system-auth
>account    required     /lib/security/$ISA/pam_stack.so service=system-auth
>password   required     /lib/security/$ISA/pam_stack.so service=system-auth
>session    required     /lib/security/$ISA/pam_stack.so service=system-auth
>session    optional     /lib/security/$ISA/pam_xauth.so
>
>---------------------------------------------------------------
>
>more /etc/pam.d/sshd
>
>#%PAM-1.0
>auth       required     pam_stack.so service=system-auth
>auth       required     pam_nologin.so
>account    required     pam_stack.so service=system-auth
>password   required     pam_stack.so service=system-auth
>session    required     pam_stack.so service=system-auth
>session    required     pam_limits.so
>session    optional     pam_console.so
>
>
>Thanks for your help!
>Raj
>
>
>On Sat, 19 Feb 2005 Richard Lefebvre wrote :
> >It seems to work for me, I do put everything else to -1:
> >
> >/usr/bin/chage -d 0 -W -1 -E -1 -I -1 -M -1 -m -1 user1
> >
> >Also, I don't permit login via telnet, or rlogin only ssh
> >
> >
> >Raj Kumar wrote:
> >>   Hi Richard!
> >>
> >>I tried that before. The error message I get is
> >>  You are required to change your password immediately (root enforced)
> >>Your password has expired, the session cannot proceed.
> >>Connection to testserver closed
> >>
> >>The user does not get to the prompt to change password. How else can he change the password if he doesnt have access to the shell?
> >>
> >>thank you,
> >>Raj
> >>
> >>
> >>
> >>On Fri, 18 Feb 2005 Richard Lefebvre wrote :
> >>  >"chage -d 0 user1" should do the trick.
> >>  >
> >>  >Richard
> >>  >
> >>  >Raj Kumar wrote:
> >>  >>Hi Mike,
> >>  >>
> >>  >>I logged in as user1 today and I did not get any warnings. So "passwd -f user1" does not force the user to change password after 24Hrs.
> >>  >>
> >>  >>Are there any other options to force the user to change their passwords at first logon?
> >>  >>
> >>  >>Thank you,
> >>  >>Raj
> >>  >>
> >>  >>
> >>
> >>
> >>
> >><http://clients.rediff.com/signature/track_sig.asp>
>_______________________________________________
>rhn-users mailing list
>rhn-users at redhat.com
>https://www.redhat.com/mailman/listinfo/rhn-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/rhn-users/attachments/20050219/2df692d6/attachment.htm>

More information about the rhn-users mailing list