Re: expired passwords

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Turns out it was a sysadmin issue.

I noticed that in /etc/pam.d/sshd there was a line:

password   required     pam_stack.so service=system-auth

there wasn't such a line in the /etc/pam.d/login file. So, I added it to
the /etc/pam.d/login after the account lines and before the session
lines. Now telnet connections and serial port connections behave the
same way as the ssh connections.

Thanks
    Chris Kottaridis    (chriskot@xxxxxxxxxxxxx)



On Tue, 2008-03-11 at 11:36 -0700, Chris Kottaridis wrote:
> Sorry, I wasn't clear.
> 
> Here is what I get when I try and telnet in to localhost:
> 
> >> telnet localhost
> >Trying 127.0.0.1...
> >Connected to localhost.
> >Escape character is '^]'.
> >
> >host10 login: tester
> >Password:
> >You are required to change your password immediately (password aged)
> >
> >Authentication token manipulation error
> >Connection closed by foreign host
> 
> So, I guess if I didn't get the "Authentication token manipulation
> error"  then it'd prompt me for a new password. I get the same kind of
> thing when trying to login on the serial port. 
> 
> Interestingly enough if I ssh into the machine from another machine I
> seem to get what I want:
> 
> >$ ssh tester@xxxxxxxxxxxx
> >tester@xxxxxxxxxxxx's password:
> >You are required to change your password immediately (password aged)
> >
> >
> >WARNING: Your password has expired.
> >You must change your password now and login again!
> >Changing password for tester
> >(current) UNIX password:            
> 
> Is this related to some sort of PAM configuration options
> in /etc/pam.d/login or possibly login.defs ?
> 
> Why would ssh work OK, but telnet to localhost and serial port access
> not work OK ?
> 
> Thanks
>     Chris Kottaridis    (chriskot@xxxxxxxxxxxxx)
> 
> On Tue, 2008-03-11 at 16:32 +0000, Stuart Sears wrote:
> > Chris Kottaridis wrote:
> > > When I run:
> > > 
> > > $ passwd -e <username>
> > > 
> > > To expire a password for a user and then try to log back in for that
> > > user it says that I need to update my password. and then I get back to
> > > the login prompt.
> > > 
> > >> You are required to change your password immediately (root enforced)
> > > 
> > > I am expecting that it will ask to make a new password:
> > > 
> > >> login: adm1
> > >> password: *******
> > >> WARNING: Your password has expired
> > >> You must change your password now and login again!
> > >> Changing password for adm1
> > >> Old password:
> > >> Enter the new password (minimum of 5, maximum of 8 characters)
> > >> Please use a combination of upper and lower case letters and numbers
> > >> New password:
> > >> Re-enter new password:
> > >> Password changed.
> > > 
> > > The man page for login implies I should be able to set it at login time:
> > > 
> > > --------------------------------
> > >  If password aging has been enabled for your account, you may be
> > >  prompted for a new password before proceeding. You will be forced to
> > >  provide your old password and the new password before continuing.
> > >  Please refer to passwd(1) for more information.
> > > --------------------------------
> > > 
> > > Am I doing something wrong from a sysadmin point of view or is there
> > > some compile option that needs to be used to get the behavior that I
> > > want ?
> > 
> > no you are not. This is down to the order in which login uses PAM to 
> > check/change your password:
> > 1. Do you know the (current) password for this account?
> > 2. If so, We know who you are (and that you are entitled to use this 
> > account) and can check your account details to set up your session.
> > Once this is done, it becomes apparent that your password has expired 
> > and needs changing.
> > 3. We then go through the normal password changing routine.
> > 
> > 
> > what exactly were you expecting to happen?
> > 
> > You type in an account name and immediately get told that the password 
> > has expired?
> > This is a security flaw, as it immediately exposes the fact that you 
> > have typed in a valid account name (you could be anyone trying to login).
> > Instead the system tries to authenticate you first - you are *always* 
> > prompted for a password. If this fails, you (as a possible attacker) 
> > don't actually know if you typed an incorrect username or an incorrect 
> > password. (or failed for some other reason). All you get is 'login 
> > incorrect'
> > 
> > Regards,
> > 
> > Stuart
> 


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux