Re: expired passwords

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Chris Kottaridis wrote:

When I run:

$ passwd -e <username>

To expire a password for a user and then try to log back in for that
user it says that I need to update my password. and then I get back to
the login prompt.


You are required to change your password immediately (root enforced)


I am expecting that it will ask to make a new password:


login: adm1
password: *******
WARNING: Your password has expired
You must change your password now and login again!
Changing password for adm1
Old password:
Enter the new password (minimum of 5, maximum of 8 characters)
Please use a combination of upper and lower case letters and numbers
New password:
Re-enter new password:
Password changed.


The man page for login implies I should be able to set it at login time:

--------------------------------
 If password aging has been enabled for your account, you may be
 prompted for a new password before proceeding. You will be forced to
 provide your old password and the new password before continuing.
 Please refer to passwd(1) for more information.
--------------------------------

Am I doing something wrong from a sysadmin point of view or is there
some compile option that needs to be used to get the behavior that I
want ?
no you are not. This is down to the order in which login uses PAM to check/change your password: 
1. Do you know the (current) password for this account?
2. If so, We know who you are (and that you are entitled to use this account) and can check your account details to set up your session. Once this is done, it becomes apparent that your password has expired and needs changing. 
3. We then go through the normal password changing routine.


what exactly were you expecting to happen?
You type in an account name and immediately get told that the password has expired? This is a security flaw, as it immediately exposes the fact that you have typed in a valid account name (you could be anyone trying to login). Instead the system tries to authenticate you first - you are *always* prompted for a password. If this fails, you (as a possible attacker) don't actually know if you typed an incorrect username or an incorrect password. (or failed for some other reason). All you get is 'login incorrect' 

Regards,

Stuart
--
Stuart Sears RHCA etc.
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux