password expiry for a principal

Markus Moeller huaraz at moeller.plus.com
Sun Jan 20 13:11:28 EST 2008 

I see now the same message. I have to check again why my initial test looked 
OK.

Markus


"Coy Hile" <coy.hile at coyhile.com> wrote in message 
news:Pine.GSO.4.61.0801201153360.10312 at supergrover.coyhile.com...
> On Sat, 19 Jan 2008, Russ Allbery wrote:
>
>
> I'm running Solaris 10 Update 4, and when using Russ' pam_krb5 on a
> principal whose password has expired, I see the following in the debug
> log:
>
> |Jan 20 11:52:03 login sshd[10303]: [ID 584047 auth.debug] (pam_krb5): 
> cah220:
> attempting authentication as cah220 at COYHILE.COM
> |Jan 20 11:52:05 login sshd[10303]: [ID 584047 auth.debug] (pam_krb5): 
> cah220:
> krb5_get_init_creds_password: Password has expired
> |Jan 20 11:52:05 login sshd[10303]: [ID 584047 auth.debug] (pam_krb5): 
> cah220:
> <unknown>: exit (failure)
>
> For what it's worth, I've got the following in my pam.conf on this box:
>
> # grep sshd-kbdint pam.conf
> sshd-kbdint     auth requisite          pam_authtok_get.so.1
> sshd-kbdint     auth required           pam_dhkeys.so.1
> sshd-kbdint     auth required           /tmp/pam_krb5.so.1 debug
> sshd-kbdint     auth optional           pam_unix_auth.so.1
> sshd-kbdint     session required /tmp/pam_krb5.so.1 debug
> #
>
> Am I running into SEAM just not supporting "hey bozo, you're password is
> expired, change it now", or did I hork the configuration somehow.
>
> If you want, I can also provide the sshd_config.
>
> I appreciate any help you can give with this; I'm still a bit of a
> novice when it comes to doing anything cute.  Along the same lines, is
> there any way to bounce back something like "Your password is going to
> expire in n days" during the authentication process? (say only if n <
> 10).  Actually strike that.  Is there some easy way to write an app
> that you'd run from /etc/profile to banner that sort of information? If
> I were using normal UNIX auth, I could do that relatively easily using
> the information in the shadow file.
>
> -- 
> Coy Hile
> coy.hile at coyhile.com
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>

More information about the Kerberos mailing list