Howto disable password changes for kerberos setups

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



we manage all passwords (kerberos ) in our institute with an extra tool.
The expired passwords have also to be renewed with this tool.

So i remove the password section completly form the pam config
but I still get the following lines when I login via ssh
with an expired password. 

WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user expuser.
passwd: Permission denied
Connection to testnode closed.

I look for an pam config which handle the expired status like an disabled account
or an wrong password without the message "Changing password for user expuser.
passwd: Permission denied" lines



OS: Rhel-clone 6.5 (scientific Linux)

Package Version:

In the pam log I see:
pam_krb5[18333]: account checks fail for 'expuser': password has expired
pam_krb5[18333]: pam_acct_mgmt returning 12 (Authentication token is no longer valid; new one required)
Accepted password for expuser from 131.w.x.y port 49334 ssh2
pam_krb5[18333]: default/local realm 'TEST.NET'
pam_krb5[18333]: configured realm 'TEST.NET'
pam_krb5[18333]: flag: debug
pam_krb5[18333]: flags: forwardable not proxiable
pam_krb5[18333]: flag: no ignore_afs
pam_krb5[18333]: flag: no null_afs
pam_krb5[18333]: flag: tokens
pam_krb5[18333]: flag: no cred_session
pam_krb5[18333]: flag: user_check
pam_krb5[18333]: flag: no krb4_convert
pam_krb5[18333]: flag: krb4_convert_524
pam_krb5[18333]: flag: krb4_use_as_req
pam_krb5[18333]: will try previously set password first
pam_krb5[18333]: will ask for a password if that fails
pam_krb5[18333]: will let libkrb5 ask questions
pam_krb5[18333]: flag: use_shmem
pam_krb5[18333]: flag: external
pam_krb5[18333]: flag: no multiple_ccaches
pam_krb5[18333]: flag: warn
pam_krb5[18333]: ticket lifetime: 86400s (1d,0h,0m,0s)
pam_krb5[18333]: renewable lifetime: 172800s (2d,0h,0m,0s)
pam_krb5[18333]: minimum uid: 0
pam_krb5[18333]: banner: Kerberos 5
pam_krb5[18333]: ccache dir: /xyz
pam_krb5[18333]: ccname template: FILE:%d/krb5cc_%U_XXXXXX
pam_krb5[18333]: keytab: FILE:/etc/krb5.keytab
pam_krb5[18333]: token strategy: v4,524,2b,rxk5
pam_krb5[18333]: afs cell:
pam_krb5[18333]: no v5 creds for user 'expuser', skipping session setup
pam_krb5[18333]: pam_sm_open_session returning 0 (Success)
pam_unix(sshd:session): session opened for user expuser by (uid=0)
Received disconnect from 131.w.x.y: 11: disconnected by user
pam_krb5[18333]: no v5 creds for user 'expuser', skipping session cleanup
pam_krb5[18333]: pam_sm_close_session returning 0 (Success)
pam_unix(sshd:session): session closed for user expuser

pam config:
auth        required
auth        sufficient nullok try_first_pass
auth        requisite uid >= 500 quiet
auth    sufficient     use_first_pass
auth        required

account required debug
account     required   broken_shadow debug
account     sufficient debug
account     sufficient uid < 500 quiet debug
account [default=bad success=ok user_unknown=ignore] debug
account     required debug

#password    requisite try_first_pass retry=3 type=
#password    sufficient md5 shadow nullok try_first_pass use_authtok
#password       sufficient     use_authtok
#password    required

session     optional revoke
session     required
session     [success=1 default=ignore] service in crond quiet use_uid
session     required debug
session     optional debug

Pam-list mailing list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux