[rhn-users] force user to change password on first login

Raj Kumar rajkum2002 at rediffmail.com
Sat Feb 19 18:03:16 UTC 2005 

Hello again!

Sorry for too many emails... just another thought occurred to me... the application developers might have implemented "sshd" differently from "su" implementation. su probably recognizes the error that password was expired and calls the "password" module. but sshd may just return when auth returns an error message... does anyone follow me? my guess is the sshd daemon you are having might be different. The sshd version on the linux server is:
openssh-server-3.6.1p2-33.30.3

su-->/etc/pam.d/su
ssh-client-->ssh daemon-->/etc/pam.d/sshd

since /etc/pam.d/su and /etc/pam.d/sshd are almost identical (to my eyes) I guess the problem is with ssh-daemon...

Is my understanding correct?

Thanks! Have a nice weekend everyone!!
Raj


On Sat, 19 Feb 2005 Raj  Kumar wrote :
>Hi Richard,
>
>/etc/pam.d/system-auth is another file to compare.
>Do you use pam_unix or pam_unix2?
>
>
>more system-auth
>#%PAM-1.0
># This file is auto-generated.
># User changes will be destroyed the next time authconfig is run.
>auth        required      /lib/security/$ISA/pam_env.so
>auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
>auth        required      /lib/security/$ISA/pam_deny.so
>
>account     required      /lib/security/$ISA/pam_unix.so
>
>password    required      /lib/security/$ISA/pam_cracklib.so retry=3 type=
>password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
>password    required      /lib/security/$ISA/pam_deny.so
>
>session     required      /lib/security/$ISA/pam_limits.so
>session     required      /lib/security/$ISA/pam_unix.so
>
>-----------------------
>error messages in /var/log/message:
>sshd(pam_unix)[12002]: expired password for user user1 (root enforced)
>sshd(pam_unix)[12004]: session opened for user user1 by (uid=501)
>sshd(pam_unix)[12004]: session closed for user user1
>
>But what is confusing is both /etc/pam.d/su and sshd references system-auth for auth and account. So why does su work but sshd fail?
>
>Thanks again for your help!
>
>Raj
>
>On Sat, 19 Feb 2005 Raj  Kumar wrote :
> >Hi Richard,
> >
> >I also tried this now
> >/usr/bin/chage -d 0 -W -1 -E -1 -I -1 -M -1 -m -1 user1
> >
> >It still doesn't work. After executing the above command  chage -l user1 reports:
> >
> >Minimum:        -1
> >Maximum:        -1
> >Warning:        -1
> >Inactive:       -1
> >Last Change:            Never
> >Password Expires:       Never
> >Password Inactive:      Never
> >Account Expires:        Never
> >
> >Do you get similar output? What ssh client are you using? I tried with Mindterm, openssh client installed on linux and ssh client installed with cygwin. They all don't work. I get the error message and the connection is terminated immediately. But if I login as user2 and then try "su user1" I get the error message and then the prompt to change password (similar to the prompts you get when passwd is run).
> >
> >Since it works with su and not with ssh and the authentication process goes through PAM I wonder if you have different settings. Can you post your PAM version, /etc/pam.d/su and /etc/pam.d/sshd files?
> >We should probably compare the module-type "account" settings in these files. I dont see the difference in account modules in my /etc/pam.d/su and /etc/pam.d/sshd/ files
> >
> >
> >  more /etc/pam.d/su
> >
> >#%PAM-1.0
> >auth       sufficient   /lib/security/$ISA/pam_rootok.so
> ># Uncomment the following line to implicitly trust users in the "wheel" group.
> >#auth       sufficient   /lib/security/$ISA/pam_wheel.so trust use_uid
> ># Uncomment the following line to require a user to be in the "wheel" group.
> >#auth       required     /lib/security/$ISA/pam_wheel.so use_uid
> >auth       required     /lib/security/$ISA/pam_stack.so service=system-auth
> >account    required     /lib/security/$ISA/pam_stack.so service=system-auth
> >password   required     /lib/security/$ISA/pam_stack.so service=system-auth
> >session    required     /lib/security/$ISA/pam_stack.so service=system-auth
> >session    optional     /lib/security/$ISA/pam_xauth.so
> >
> >---------------------------------------------------------------
> >
> >more /etc/pam.d/sshd
> >
> >#%PAM-1.0
> >auth       required     pam_stack.so service=system-auth
> >auth       required     pam_nologin.so
> >account    required     pam_stack.so service=system-auth
> >password   required     pam_stack.so service=system-auth
> >session    required     pam_stack.so service=system-auth
> >session    required     pam_limits.so
> >session    optional     pam_console.so
> >
> >
> >Thanks for your help!
> >Raj
> >
> >
> >On Sat, 19 Feb 2005 Richard Lefebvre wrote :
> > >It seems to work for me, I do put everything else to -1:
> > >
> > >/usr/bin/chage -d 0 -W -1 -E -1 -I -1 -M -1 -m -1 user1
> > >
> > >Also, I don't permit login via telnet, or rlogin only ssh
> > >
> > >
> > >Raj Kumar wrote:
> > >>   Hi Richard!
> > >>
> > >>I tried that before. The error message I get is
> > >>  You are required to change your password immediately (root enforced)
> > >>Your password has expired, the session cannot proceed.
> > >>Connection to testserver closed
> > >>
> > >>The user does not get to the prompt to change password. How else can he change the password if he doesnt have access to the shell?
> > >>
> > >>thank you,
> > >>Raj
> > >>
> > >>
> > >>
> > >>On Fri, 18 Feb 2005 Richard Lefebvre wrote :
> > >>  >"chage -d 0 user1" should do the trick.
> > >>  >
> > >>  >Richard
> > >>  >
> > >>  >Raj Kumar wrote:
> > >>  >>Hi Mike,
> > >>  >>
> > >>  >>I logged in as user1 today and I did not get any warnings. So "passwd -f user1" does not force the user to change password after 24Hrs.
> > >>  >>
> > >>  >>Are there any other options to force the user to change their passwords at first logon?
> > >>  >>
> > >>  >>Thank you,
> > >>  >>Raj
> > >>  >>
> > >>  >>
> > >>
> > >>
> > >>
> > >><http://clients.rediff.com/signature/track_sig.asp>
> >_______________________________________________
> >rhn-users mailing list
> >rhn-users at redhat.com
> >https://www.redhat.com/mailman/listinfo/rhn-users
>_______________________________________________
>rhn-users mailing list
>rhn-users at redhat.com
>https://www.redhat.com/mailman/listinfo/rhn-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/rhn-users/attachments/20050219/5e7421fe/attachment.htm>

More information about the rhn-users mailing list