RHEL6 not forcing password change when logging in with expired kerberos password - remote ssh login

David Brezynski brezy at u.washington.edu
Thu Apr 30 16:18:58 EDT 2015


Hello

I figured this out.

I needed to set --disablelocauthorize when running authconfig so that users with local entries in my /etc/password file are challenged to change their kerb pw when expired.

This must have been the default with RHEL5 but changed in RHEL6.

All is well!

Thanks
David

David Brezynski



>
> Message: 3
> Date: Wed, 29 Apr 2015 12:30:35 -0700 (PDT)
> From: David Brezynski <brezy at u.washington.edu>
> Subject: RHEL6 not forcing password change when logging in with
> 	expired	kerberos password - remote ssh login
> To: kerberos at mit.edu
> Message-ID:
> 	<alpine.LRH.2.01.1504291230350.15373 at hymn04.u.washington.edu>
> Content-Type: TEXT/PLAIN; charset=US-ASCII
>
> Hello
>
> I have a mixed RHEL5/RHEL6 environment and am having problems with RHEL6 forcing users to change their kerberos password when it is expired.
>
> RHEL5 works as I'd expect - challenges me to change my expired kerb pw when I log in.
>
> The RHEL6 server knows the kerb pw is expired (and shows the message "Warning: password has expired.") but then continues to give me an interactive session (albeit without a valid ticket - klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_541)).
>
> Also on RHEL6 servers if I manually enter kinit after ssh'ing I get prompted to change my password:
>
> kinit
> Password for user at MY.DOMAIN.COM:
> Password expired.  You must change it now.
> Enter new password:
>
> and I'm able to change the password just fine.
>
> I figure this must be something with pam (system-auth) but after trying a number of different configurations with the auth level I can't figure it out.
>
> My system-auth looks like this:
>
> ---------------------------------
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      pam_env.so
> auth        sufficient    pam_fprintd.so
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 500 quiet
> auth        sufficient    pam_krb5.so use_first_pass
> auth        required      pam_deny.so
>
> account     required      pam_unix.so broken_shadow
> account     sufficient    pam_localuser.so
> account     sufficient    pam_succeed_if.so uid < 500 quiet
> account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
> account     required      pam_permit.so
>
> password    requisite     pam_cracklib.so try_first_pass retry=3 type=
> password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
> password    sufficient    pam_krb5.so use_authtok
> password    required      pam_deny.so
>
> session     optional      pam_keyinit.so revoke
> session     required      pam_limits.so
> session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
> session     required      pam_unix.so
> session     optional      pam_krb5.so
> -----------------------------------
>
> Any ideas?
>
> Thanks!
> David
>
>
>
>
>
> ------------------------------
>
> _______________________________________________
> Kerberos mailing list
> Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
> End of Kerberos Digest, Vol 148, Issue 25
> *****************************************
>



More information about the Kerberos mailing list