Sorry, I wasn't clear. Here is what I get when I try and telnet in to localhost: >> telnet localhost >Trying 127.0.0.1... >Connected to localhost. >Escape character is '^]'. > >host10 login: tester >Password: >You are required to change your password immediately (password aged) > >Authentication token manipulation error >Connection closed by foreign host So, I guess if I didn't get the "Authentication token manipulation error" then it'd prompt me for a new password. I get the same kind of thing when trying to login on the serial port. Interestingly enough if I ssh into the machine from another machine I seem to get what I want: >$ ssh tester@xxxxxxxxxxxx >tester@xxxxxxxxxxxx's password: >You are required to change your password immediately (password aged) > > >WARNING: Your password has expired. >You must change your password now and login again! >Changing password for tester >(current) UNIX password: Is this related to some sort of PAM configuration options in /etc/pam.d/login or possibly login.defs ? Why would ssh work OK, but telnet to localhost and serial port access not work OK ? Thanks Chris Kottaridis (chriskot@xxxxxxxxxxxxx) On Tue, 2008-03-11 at 16:32 +0000, Stuart Sears wrote: > Chris Kottaridis wrote: > > When I run: > > > > $ passwd -e <username> > > > > To expire a password for a user and then try to log back in for that > > user it says that I need to update my password. and then I get back to > > the login prompt. > > > >> You are required to change your password immediately (root enforced) > > > > I am expecting that it will ask to make a new password: > > > >> login: adm1 > >> password: ******* > >> WARNING: Your password has expired > >> You must change your password now and login again! > >> Changing password for adm1 > >> Old password: > >> Enter the new password (minimum of 5, maximum of 8 characters) > >> Please use a combination of upper and lower case letters and numbers > >> New password: > >> Re-enter new password: > >> Password changed. > > > > The man page for login implies I should be able to set it at login time: > > > > -------------------------------- > > If password aging has been enabled for your account, you may be > > prompted for a new password before proceeding. You will be forced to > > provide your old password and the new password before continuing. > > Please refer to passwd(1) for more information. > > -------------------------------- > > > > Am I doing something wrong from a sysadmin point of view or is there > > some compile option that needs to be used to get the behavior that I > > want ? > > no you are not. This is down to the order in which login uses PAM to > check/change your password: > 1. Do you know the (current) password for this account? > 2. If so, We know who you are (and that you are entitled to use this > account) and can check your account details to set up your session. > Once this is done, it becomes apparent that your password has expired > and needs changing. > 3. We then go through the normal password changing routine. > > > what exactly were you expecting to happen? > > You type in an account name and immediately get told that the password > has expired? > This is a security flaw, as it immediately exposes the fact that you > have typed in a valid account name (you could be anyone trying to login). > Instead the system tries to authenticate you first - you are *always* > prompted for a password. If this fails, you (as a possible attacker) > don't actually know if you typed an incorrect username or an incorrect > password. (or failed for some other reason). All you get is 'login > incorrect' > > Regards, > > Stuart -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list