RHEL6 not forcing password change when logging in with expired kerberos password - remote ssh login

David Brezynski brezy at u.washington.edu
Wed Apr 29 15:30:35 EDT 2015 

Hello

I have a mixed RHEL5/RHEL6 environment and am having problems with RHEL6 forcing users to change their kerberos password when it is expired.

RHEL5 works as I'd expect - challenges me to change my expired kerb pw when I log in.

The RHEL6 server knows the kerb pw is expired (and shows the message "Warning: password has expired.") but then continues to give me an interactive session (albeit without a valid ticket - klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_541)).

Also on RHEL6 servers if I manually enter kinit after ssh'ing I get prompted to change my password:

kinit
Password for user at MY.DOMAIN.COM: 
Password expired.  You must change it now.
Enter new password: 

and I'm able to change the password just fine.

I figure this must be something with pam (system-auth) but after trying a number of different configurations with the auth level I can't figure it out.

My system-auth looks like this:

---------------------------------
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_krb5.so use_authtok 
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so
-----------------------------------

Any ideas?

Thanks!
David

More information about the Kerberos mailing list