RHEL6 not forcing password change when logging in with expired kerberos password - remote ssh login
David Brezynski
brezy at u.washington.edu
Thu Apr 30 16:18:58 EDT 2015
Hello
I figured this out.
I needed to set --disablelocauthorize when running authconfig so that users with local entries in my /etc/password file are challenged to change their kerb pw when expired.
This must have been the default with RHEL5 but changed in RHEL6.
All is well!
Thanks
David
David Brezynski
>
> Message: 3
> Date: Wed, 29 Apr 2015 12:30:35 -0700 (PDT)
> From: David Brezynski <brezy at u.washington.edu>
> Subject: RHEL6 not forcing password change when logging in with
> expired kerberos password - remote ssh login
> To: kerberos at mit.edu
> Message-ID:
> <alpine.LRH.2.01.1504291230350.15373 at hymn04.u.washington.edu>
> Content-Type: TEXT/PLAIN; charset=US-ASCII
>
> Hello
>
> I have a mixed RHEL5/RHEL6 environment and am having problems with RHEL6 forcing users to change their kerberos password when it is expired.
>
> RHEL5 works as I'd expect - challenges me to change my expired kerb pw when I log in.
>
> The RHEL6 server knows the kerb pw is expired (and shows the message "Warning: password has expired.") but then continues to give me an interactive session (albeit without a valid ticket - klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_541)).
>
> Also on RHEL6 servers if I manually enter kinit after ssh'ing I get prompted to change my password:
>
> kinit
> Password for user at MY.DOMAIN.COM:
> Password expired. You must change it now.
> Enter new password:
>
> and I'm able to change the password just fine.
>
> I figure this must be something with pam (system-auth) but after trying a number of different configurations with the auth level I can't figure it out.
>
> My system-auth looks like this:
>
> ---------------------------------
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth required pam_env.so
> auth sufficient pam_fprintd.so
> auth sufficient pam_unix.so nullok try_first_pass
> auth requisite pam_succeed_if.so uid >= 500 quiet
> auth sufficient pam_krb5.so use_first_pass
> auth required pam_deny.so
>
> account required pam_unix.so broken_shadow
> account sufficient pam_localuser.so
> account sufficient pam_succeed_if.so uid < 500 quiet
> account [default=bad success=ok user_unknown=ignore] pam_krb5.so
> account required pam_permit.so
>
> password requisite pam_cracklib.so try_first_pass retry=3 type=
> password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
> password sufficient pam_krb5.so use_authtok
> password required pam_deny.so
>
> session optional pam_keyinit.so revoke
> session required pam_limits.so
> session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
> session required pam_unix.so
> session optional pam_krb5.so
> -----------------------------------
>
> Any ideas?
>
> Thanks!
> David
>
>
>
>
>
> ------------------------------
>
> _______________________________________________
> Kerberos mailing list
> Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
>
>
> End of Kerberos Digest, Vol 148, Issue 25
> *****************************************
>
More information about the Kerberos
mailing list