Howto disable password changes for kerberos setups

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello!

we manage all passwords (kerberos ) in our institute with an extra tool.
The expired passwords have also to be renewed with this tool.

So i remove the password section completly form the pam config
but I still get the following lines when I login via ssh
with an expired password. 

>>
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user expuser.
passwd: Permission denied
Connection to testnode closed.
<<

I look for an pam config which handle the expired status like an disabled account
or an wrong password without the message "Changing password for user expuser.
passwd: Permission denied" lines

Regards!

Sven


OS: Rhel-clone 6.5 (scientific Linux)

Package Version:
pam-1.1.1-17.el6.x86_64
pam_krb5-2.3.11-9.el6.x86_64
krb5-workstation-1.10.3-10.el6_4.6.x86_64
krb5-libs-1.10.3-10.el6_4.6.x86_64
openafs-krb5-1.6.5.1-147.sl6.x86_64

In the pam log I see:
pam_krb5[18333]: account checks fail for 'expuser': password has expired
pam_krb5[18333]: pam_acct_mgmt returning 12 (Authentication token is no longer valid; new one required)
Accepted password for expuser from 131.w.x.y port 49334 ssh2
pam_krb5[18333]: default/local realm 'TEST.NET'
pam_krb5[18333]: configured realm 'TEST.NET'
pam_krb5[18333]: flag: debug
pam_krb5[18333]: flags: forwardable not proxiable
pam_krb5[18333]: flag: no ignore_afs
pam_krb5[18333]: flag: no null_afs
pam_krb5[18333]: flag: tokens
pam_krb5[18333]: flag: no cred_session
pam_krb5[18333]: flag: user_check
pam_krb5[18333]: flag: no krb4_convert
pam_krb5[18333]: flag: krb4_convert_524
pam_krb5[18333]: flag: krb4_use_as_req
pam_krb5[18333]: will try previously set password first
pam_krb5[18333]: will ask for a password if that fails
pam_krb5[18333]: will let libkrb5 ask questions
pam_krb5[18333]: flag: use_shmem
pam_krb5[18333]: flag: external
pam_krb5[18333]: flag: no multiple_ccaches
pam_krb5[18333]: flag: warn
pam_krb5[18333]: ticket lifetime: 86400s (1d,0h,0m,0s)
pam_krb5[18333]: renewable lifetime: 172800s (2d,0h,0m,0s)
pam_krb5[18333]: minimum uid: 0
pam_krb5[18333]: banner: Kerberos 5
pam_krb5[18333]: ccache dir: /xyz
pam_krb5[18333]: ccname template: FILE:%d/krb5cc_%U_XXXXXX
pam_krb5[18333]: keytab: FILE:/etc/krb5.keytab
pam_krb5[18333]: token strategy: v4,524,2b,rxk5
pam_krb5[18333]: afs cell: test.net
pam_krb5[18333]: no v5 creds for user 'expuser', skipping session setup
pam_krb5[18333]: pam_sm_open_session returning 0 (Success)
pam_unix(sshd:session): session opened for user expuser by (uid=0)
Received disconnect from 131.w.x.y: 11: disconnected by user
...
pam_krb5[18333]: no v5 creds for user 'expuser', skipping session cleanup
pam_krb5[18333]: pam_sm_close_session returning 0 (Success)
pam_unix(sshd:session): session closed for user expuser


pam config:
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth    sufficient      pam_krb5.so     use_first_pass
auth        required      pam_deny.so

account required        pam_access.so debug
account     required      pam_unix.so   broken_shadow debug
account     sufficient    pam_localuser.so debug
account     sufficient    pam_succeed_if.so uid < 500 quiet debug
account [default=bad success=ok user_unknown=ignore]   pam_krb5.so debug
account     required      pam_permit.so debug

#password    requisite     pam_cracklib.so try_first_pass retry=3 type=
#password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
#password       sufficient      pam_krb5.so     use_authtok
#password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so debug
session     optional      pam_krb5.so debug


_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list




[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux