Hello, Sorry if this is a repeat but I couldn't find this in the archives: We are using RedHat 7.2 with all latest patches and pam_krb5-1.46-1 with krb5-*-1.2.2-14. Pam works just fine with the exception of forcing password expiry. I understand this is difficult with PAM as krb5 demands a new password before authentication can complete. Has anyone had success in getting password expiry working in this environment ? I've tried both the default installed /etc/pam.d/login (the login method I'm using to test is telnetd with login) and some of the samples in /usr/share/doc/pam_krb5/pam.d and both cause an abort in authentication when the password is expired and no 'enter new password' prompt is given. debug log: -------------------------------- Aug 28 08:13:40 host login[30906]: pam_krb5: attempting to authenticate `user' Aug 28 08:13:40 host login[30906]: pam_krb5: get_int_tkt returned Password has expired Aug 28 08:13:40 host login[30906]: pam_krb5: authenticate error: Password has expired (-1765328361) Aug 28 08:13:40 host login[30906]: pam_krb5: authentication fails for `user' Aug 28 08:13:40 host login[30906]: pam_krb5: pam_sm_authenticate returning 12 (Authentication token is no longer valid; new one required.) Aug 28 08:13:42 host login[30906]: FAILED LOGIN SESSION FROM host.domain.ca FOR user, Authentication token is no longer valid; new one required. ---------------------------------- When I try my own bare-bones pam.d/login, I get a 'Enter new password' prompt but it ends up in an endless loop of the two password prompts: Kernel 2.4.9-34smp on an i686 login: user Password: Enter new password: Enter it again: Enter new password: Enter it again: and so on... There is nothing wrong with the password I'm choosing as it meets all of the policy criteria. The debug log doesn't reveal anything beyond the following line: Aug 28 08:22:23 hostname login: pam_krb5: attempting to authenticate `user' My pam.d/login: auth required /lib/security/pam_securetty.so auth required /lib/security/pam_krb5.so debug auth required /lib/security/pam_nologin.so account required /lib/security/pam_unix.so session required /lib/security/pam_unix.so Any suggestions are appreciated. Mike.
