Turns out it was a sysadmin issue.
I noticed that in /etc/pam.d/sshd there was a line:
password required pam_stack.so service=system-auth
there wasn't such a line in the /etc/pam.d/login file. So, I added it to
the /etc/pam.d/login after the account lines and before the session
lines. Now telnet connections and serial port connections behave the
same way as the ssh connections.
Thanks
Chris Kottaridis (chriskot@xxxxxxxxxxxxx)
On Tue, 2008-03-11 at 11:36 -0700, Chris Kottaridis wrote:
> Sorry, I wasn't clear.
>
> Here is what I get when I try and telnet in to localhost:
>
> >> telnet localhost
> >Trying 127.0.0.1...
> >Connected to localhost.
> >Escape character is '^]'.
> >
> >host10 login: tester
> >Password:
> >You are required to change your password immediately (password aged)
> >
> >Authentication token manipulation error
> >Connection closed by foreign host
>
> So, I guess if I didn't get the "Authentication token manipulation
> error" then it'd prompt me for a new password. I get the same kind of
> thing when trying to login on the serial port.
>
> Interestingly enough if I ssh into the machine from another machine I
> seem to get what I want:
>
> >$ ssh tester@xxxxxxxxxxxx
> >tester@xxxxxxxxxxxx's password:
> >You are required to change your password immediately (password aged)
> >
> >
> >WARNING: Your password has expired.
> >You must change your password now and login again!
> >Changing password for tester
> >(current) UNIX password:
>
> Is this related to some sort of PAM configuration options
> in /etc/pam.d/login or possibly login.defs ?
>
> Why would ssh work OK, but telnet to localhost and serial port access
> not work OK ?
>
> Thanks
> Chris Kottaridis (chriskot@xxxxxxxxxxxxx)
>
> On Tue, 2008-03-11 at 16:32 +0000, Stuart Sears wrote:
> > Chris Kottaridis wrote:
> > > When I run:
> > >
> > > $ passwd -e <username>
> > >
> > > To expire a password for a user and then try to log back in for that
> > > user it says that I need to update my password. and then I get back to
> > > the login prompt.
> > >
> > >> You are required to change your password immediately (root enforced)
> > >
> > > I am expecting that it will ask to make a new password:
> > >
> > >> login: adm1
> > >> password: *******
> > >> WARNING: Your password has expired
> > >> You must change your password now and login again!
> > >> Changing password for adm1
> > >> Old password:
> > >> Enter the new password (minimum of 5, maximum of 8 characters)
> > >> Please use a combination of upper and lower case letters and numbers
> > >> New password:
> > >> Re-enter new password:
> > >> Password changed.
> > >
> > > The man page for login implies I should be able to set it at login time:
> > >
> > > --------------------------------
> > > If password aging has been enabled for your account, you may be
> > > prompted for a new password before proceeding. You will be forced to
> > > provide your old password and the new password before continuing.
> > > Please refer to passwd(1) for more information.
> > > --------------------------------
> > >
> > > Am I doing something wrong from a sysadmin point of view or is there
> > > some compile option that needs to be used to get the behavior that I
> > > want ?
> >
> > no you are not. This is down to the order in which login uses PAM to
> > check/change your password:
> > 1. Do you know the (current) password for this account?
> > 2. If so, We know who you are (and that you are entitled to use this
> > account) and can check your account details to set up your session.
> > Once this is done, it becomes apparent that your password has expired
> > and needs changing.
> > 3. We then go through the normal password changing routine.
> >
> >
> > what exactly were you expecting to happen?
> >
> > You type in an account name and immediately get told that the password
> > has expired?
> > This is a security flaw, as it immediately exposes the fact that you
> > have typed in a valid account name (you could be anyone trying to login).
> > Instead the system tries to authenticate you first - you are *always*
> > prompted for a password. If this fails, you (as a possible attacker)
> > don't actually know if you typed an incorrect username or an incorrect
> > password. (or failed for some other reason). All you get is 'login
> > incorrect'
> >
> > Regards,
> >
> > Stuart
>
