[36941] in Kerberos
RHEL6 not forcing password change when logging in with expired
daemon@ATHENA.MIT.EDU (David Brezynski)
Wed Apr 29 15:38:46 2015
Date: Wed, 29 Apr 2015 12:30:35 -0700 (PDT)
From: David Brezynski <brezy@u.washington.edu>
To: kerberos@mit.edu
Message-ID: <alpine.LRH.2.01.1504291230350.15373@hymn04.u.washington.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hello
I have a mixed RHEL5/RHEL6 environment and am having problems with RHEL6 forcing users to change their kerberos password when it is expired.
RHEL5 works as I'd expect - challenges me to change my expired kerb pw when I log in.
The RHEL6 server knows the kerb pw is expired (and shows the message "Warning: password has expired.") but then continues to give me an interactive session (albeit without a valid ticket - klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_541)).
Also on RHEL6 servers if I manually enter kinit after ssh'ing I get prompted to change my password:
kinit
Password for user@MY.DOMAIN.COM:
Password expired. You must change it now.
Enter new password:
and I'm able to change the password just fine.
I figure this must be something with pam (system-auth) but after trying a number of different configurations with the auth level I can't figure it out.
My system-auth looks like this:
---------------------------------
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_krb5.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_krb5.so
-----------------------------------
Any ideas?
Thanks!
David
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos