password expiration not prompting - solaris 10

Russ Allbery rra at stanford.edu
Wed Nov 25 20:55:57 EST 2009


CT <caltri at gmail.com> writes:

> Having an issue where when an account password has expired it doesn't
> prompt user to change it and lets user login.  It does show a message
> saying the it has expired.

Sun intentionally disables the normal Kerberos library support for
changing passwords when authenticating with expired passwords.  I'm not
sure why they chose to do that.

If you're running into this in the PAM context, you can work around this
by using a PAM module and an application that supports the fully correct
PAM method of handling expired accounts (return success from auth and then
indicate a password change is needed in the account stack), or you can use
a PAM module that detects and works around this case by doing the password
change prompting itself in the auth stack (my pam-krb5 with force_pwchange
set in the options, for instance).

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list