Sorry, I wasn't clear.
Here is what I get when I try and telnet in to localhost:
>> telnet localhost
>Trying 127.0.0.1...
>Connected to localhost.
>Escape character is '^]'.
>
>host10 login: tester
>Password:
>You are required to change your password immediately (password aged)
>
>Authentication token manipulation error
>Connection closed by foreign host
So, I guess if I didn't get the "Authentication token manipulation
error" then it'd prompt me for a new password. I get the same kind of
thing when trying to login on the serial port.
Interestingly enough if I ssh into the machine from another machine I
seem to get what I want:
>$ ssh tester@xxxxxxxxxxxx
>tester@xxxxxxxxxxxx's password:
>You are required to change your password immediately (password aged)
>
>
>WARNING: Your password has expired.
>You must change your password now and login again!
>Changing password for tester
>(current) UNIX password:
Is this related to some sort of PAM configuration options
in /etc/pam.d/login or possibly login.defs ?
Why would ssh work OK, but telnet to localhost and serial port access
not work OK ?
Thanks
Chris Kottaridis (chriskot@xxxxxxxxxxxxx)
On Tue, 2008-03-11 at 16:32 +0000, Stuart Sears wrote:
> Chris Kottaridis wrote:
> > When I run:
> >
> > $ passwd -e <username>
> >
> > To expire a password for a user and then try to log back in for that
> > user it says that I need to update my password. and then I get back to
> > the login prompt.
> >
> >> You are required to change your password immediately (root enforced)
> >
> > I am expecting that it will ask to make a new password:
> >
> >> login: adm1
> >> password: *******
> >> WARNING: Your password has expired
> >> You must change your password now and login again!
> >> Changing password for adm1
> >> Old password:
> >> Enter the new password (minimum of 5, maximum of 8 characters)
> >> Please use a combination of upper and lower case letters and numbers
> >> New password:
> >> Re-enter new password:
> >> Password changed.
> >
> > The man page for login implies I should be able to set it at login time:
> >
> > --------------------------------
> > If password aging has been enabled for your account, you may be
> > prompted for a new password before proceeding. You will be forced to
> > provide your old password and the new password before continuing.
> > Please refer to passwd(1) for more information.
> > --------------------------------
> >
> > Am I doing something wrong from a sysadmin point of view or is there
> > some compile option that needs to be used to get the behavior that I
> > want ?
>
> no you are not. This is down to the order in which login uses PAM to
> check/change your password:
> 1. Do you know the (current) password for this account?
> 2. If so, We know who you are (and that you are entitled to use this
> account) and can check your account details to set up your session.
> Once this is done, it becomes apparent that your password has expired
> and needs changing.
> 3. We then go through the normal password changing routine.
>
>
> what exactly were you expecting to happen?
>
> You type in an account name and immediately get told that the password
> has expired?
> This is a security flaw, as it immediately exposes the fact that you
> have typed in a valid account name (you could be anyone trying to login).
> Instead the system tries to authenticate you first - you are *always*
> prompted for a password. If this fails, you (as a possible attacker)
> don't actually know if you typed an incorrect username or an incorrect
> password. (or failed for some other reason). All you get is 'login
> incorrect'
>
> Regards,
>
> Stuart
