Re: expired passwords

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Chris Kottaridis wrote:

When I run:

$ passwd -e <username>

To expire a password for a user and then try to log back in for that
user it says that I need to update my password. and then I get back to
the login prompt.


You are required to change your password immediately (root enforced)


I am expecting that it will ask to make a new password:


login: adm1
password: *******
WARNING: Your password has expired
You must change your password now and login again!
Changing password for adm1
Old password:
Enter the new password (minimum of 5, maximum of 8 characters)
Please use a combination of upper and lower case letters and numbers
New password:
Re-enter new password:
Password changed.


The man page for login implies I should be able to set it at login time:

--------------------------------
 If password aging has been enabled for your account, you may be
 prompted for a new password before proceeding. You will be forced to
 provide your old password and the new password before continuing.
 Please refer to passwd(1) for more information.
--------------------------------

Am I doing something wrong from a sysadmin point of view or is there
some compile option that needs to be used to get the behavior that I
want ?
no you are not. This is down to the order in which login uses PAM to check/change your password: 
1. Do you know the (current) password for this account?
2. If so, We know who you are (and that you are entitled to use this account) and can check your account details to set up your session. Once this is done, it becomes apparent that your password has expired and needs changing. 
3. We then go through the normal password changing routine.


what exactly were you expecting to happen?
You type in an account name and immediately get told that the password has expired? This is a security flaw, as it immediately exposes the fact that you have typed in a valid account name (you could be anyone trying to login). Instead the system tries to authenticate you first - you are *always* prompted for a password. If this fails, you (as a possible attacker) don't actually know if you typed an incorrect username or an incorrect password. (or failed for some other reason). All you get is 'login incorrect' 

Regards,

Stuart
--
Stuart Sears RHCA etc.

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux