Hello all, I'm trying to figure out how to get pam to properly handle expired passwords. Currently, when a user logs in with an expired password, the system will prompt him to change his password. If the password change is SUCCESSFUL, the system will kick him off (and he can't log in until his password change replicates). If the password change is REJECTED, the system will give him a session (even though /var/log/messages clearly shows that the Kerberos server rejected the password change). Here is the system-auth file: auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_krb5.so use_first_pass auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/$ISA/pam_krb5.so password required /lib/security/$ISA/pam_cracklib.so retry=3 type= password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/$ISA/pam_krb5.so use_authtok password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel/ umask=0076 session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session optional /lib/security/$ISA/pam_krb5.so And of course, my sshd and login use pam_stack to point to it, although I also have tried putting these contents straight into the sshd and login files. Having failed at this, I want to get it where when the password is expired, the system will simply respond "Your password is expired" and then close the session. I found a way that almost works. Using the following setup, the system will tell me that the password is expired, ask me to REENTER my current password, and THEN close the session. I would like it to drop my session before asking for me to reenter the password: auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_krb5.so use_first_pass debug auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/$ISA/pam_krb5.so debug password required /lib/security/$ISA/pam_cracklib.so retry=3 type= password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password [default=bad success=ok new_authtok_reqd=ok] /lib/security/$ISA/pam_krb5.so use_authtok debug password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_mkhomedir.so skel=/etc/skel/ umask=0076 session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session optional /lib/security/$ISA/pam_krb5.so debug What do you guys think? -- DK _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
