Chris Kottaridis wrote:
When I run:
$ passwd -e <username>
To expire a password for a user and then try to log back in for that
user it says that I need to update my password. and then I get back to
the login prompt.
You are required to change your password immediately (root enforced)
I am expecting that it will ask to make a new password:
login: adm1
password: *******
WARNING: Your password has expired
You must change your password now and login again!
Changing password for adm1
Old password:
Enter the new password (minimum of 5, maximum of 8 characters)
Please use a combination of upper and lower case letters and numbers
New password:
Re-enter new password:
Password changed.
The man page for login implies I should be able to set it at login time:
--------------------------------
If password aging has been enabled for your account, you may be
prompted for a new password before proceeding. You will be forced to
provide your old password and the new password before continuing.
Please refer to passwd(1) for more information.
--------------------------------
Am I doing something wrong from a sysadmin point of view or is there
some compile option that needs to be used to get the behavior that I
want ?
no you are not. This is down to the order in which login uses PAM to
check/change your password:
1. Do you know the (current) password for this account?
2. If so, We know who you are (and that you are entitled to use this
account) and can check your account details to set up your session.
Once this is done, it becomes apparent that your password has expired
and needs changing.
3. We then go through the normal password changing routine.
what exactly were you expecting to happen?
You type in an account name and immediately get told that the password
has expired?
This is a security flaw, as it immediately exposes the fact that you
have typed in a valid account name (you could be anyone trying to login).
Instead the system tries to authenticate you first - you are *always*
prompted for a password. If this fails, you (as a possible attacker)
don't actually know if you typed an incorrect username or an incorrect
password. (or failed for some other reason). All you get is 'login
incorrect'
Regards,
Stuart
--
Stuart Sears RHCA etc.
