Turns out it was a sysadmin issue. I noticed that in /etc/pam.d/sshd there was a line: password required pam_stack.so service=system-auth there wasn't such a line in the /etc/pam.d/login file. So, I added it to the /etc/pam.d/login after the account lines and before the session lines. Now telnet connections and serial port connections behave the same way as the ssh connections. Thanks Chris Kottaridis (chriskot@xxxxxxxxxxxxx) On Tue, 2008-03-11 at 11:36 -0700, Chris Kottaridis wrote: > Sorry, I wasn't clear. > > Here is what I get when I try and telnet in to localhost: > > >> telnet localhost > >Trying 127.0.0.1... > >Connected to localhost. > >Escape character is '^]'. > > > >host10 login: tester > >Password: > >You are required to change your password immediately (password aged) > > > >Authentication token manipulation error > >Connection closed by foreign host > > So, I guess if I didn't get the "Authentication token manipulation > error" then it'd prompt me for a new password. I get the same kind of > thing when trying to login on the serial port. > > Interestingly enough if I ssh into the machine from another machine I > seem to get what I want: > > >$ ssh tester@xxxxxxxxxxxx > >tester@xxxxxxxxxxxx's password: > >You are required to change your password immediately (password aged) > > > > > >WARNING: Your password has expired. > >You must change your password now and login again! > >Changing password for tester > >(current) UNIX password: > > Is this related to some sort of PAM configuration options > in /etc/pam.d/login or possibly login.defs ? > > Why would ssh work OK, but telnet to localhost and serial port access > not work OK ? > > Thanks > Chris Kottaridis (chriskot@xxxxxxxxxxxxx) > > On Tue, 2008-03-11 at 16:32 +0000, Stuart Sears wrote: > > Chris Kottaridis wrote: > > > When I run: > > > > > > $ passwd -e <username> > > > > > > To expire a password for a user and then try to log back in for that > > > user it says that I need to update my password. and then I get back to > > > the login prompt. > > > > > >> You are required to change your password immediately (root enforced) > > > > > > I am expecting that it will ask to make a new password: > > > > > >> login: adm1 > > >> password: ******* > > >> WARNING: Your password has expired > > >> You must change your password now and login again! > > >> Changing password for adm1 > > >> Old password: > > >> Enter the new password (minimum of 5, maximum of 8 characters) > > >> Please use a combination of upper and lower case letters and numbers > > >> New password: > > >> Re-enter new password: > > >> Password changed. > > > > > > The man page for login implies I should be able to set it at login time: > > > > > > -------------------------------- > > > If password aging has been enabled for your account, you may be > > > prompted for a new password before proceeding. You will be forced to > > > provide your old password and the new password before continuing. > > > Please refer to passwd(1) for more information. > > > -------------------------------- > > > > > > Am I doing something wrong from a sysadmin point of view or is there > > > some compile option that needs to be used to get the behavior that I > > > want ? > > > > no you are not. This is down to the order in which login uses PAM to > > check/change your password: > > 1. Do you know the (current) password for this account? > > 2. If so, We know who you are (and that you are entitled to use this > > account) and can check your account details to set up your session. > > Once this is done, it becomes apparent that your password has expired > > and needs changing. > > 3. We then go through the normal password changing routine. > > > > > > what exactly were you expecting to happen? > > > > You type in an account name and immediately get told that the password > > has expired? > > This is a security flaw, as it immediately exposes the fact that you > > have typed in a valid account name (you could be anyone trying to login). > > Instead the system tries to authenticate you first - you are *always* > > prompted for a password. If this fails, you (as a possible attacker) > > don't actually know if you typed an incorrect username or an incorrect > > password. (or failed for some other reason). All you get is 'login > > incorrect' > > > > Regards, > > > > Stuart >