[29118] in Kerberos
Re: password expiry for a principal
daemon@ATHENA.MIT.EDU (Coy Hile)
Sun Jan 20 12:04:14 2008
Date: Sun, 20 Jan 2008 12:01:02 -0500 (EST)
From: Coy Hile <coy.hile@coyhile.com>
To: Russ Allbery <rra@stanford.edu>
In-Reply-To: <87wsq5blvc.fsf@windlord.stanford.edu>
Message-ID: <Pine.GSO.4.61.0801201153360.10312@supergrover.coyhile.com>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Sat, 19 Jan 2008, Russ Allbery wrote:
I'm running Solaris 10 Update 4, and when using Russ' pam_krb5 on a
principal whose password has expired, I see the following in the debug
log:
|Jan 20 11:52:03 login sshd[10303]: [ID 584047 auth.debug] (pam_krb5): cah220:
attempting authentication as cah220@COYHILE.COM
|Jan 20 11:52:05 login sshd[10303]: [ID 584047 auth.debug] (pam_krb5): cah220:
krb5_get_init_creds_password: Password has expired
|Jan 20 11:52:05 login sshd[10303]: [ID 584047 auth.debug] (pam_krb5): cah220:
<unknown>: exit (failure)
For what it's worth, I've got the following in my pam.conf on this box:
# grep sshd-kbdint pam.conf
sshd-kbdint auth requisite pam_authtok_get.so.1
sshd-kbdint auth required pam_dhkeys.so.1
sshd-kbdint auth required /tmp/pam_krb5.so.1 debug
sshd-kbdint auth optional pam_unix_auth.so.1
sshd-kbdint session required /tmp/pam_krb5.so.1 debug
#
Am I running into SEAM just not supporting "hey bozo, you're password is
expired, change it now", or did I hork the configuration somehow.
If you want, I can also provide the sshd_config.
I appreciate any help you can give with this; I'm still a bit of a
novice when it comes to doing anything cute. Along the same lines, is
there any way to bounce back something like "Your password is going to
expire in n days" during the authentication process? (say only if n <
10). Actually strike that. Is there some easy way to write an app
that you'd run from /etc/profile to banner that sort of information? If
I were using normal UNIX auth, I could do that relatively easily using
the information in the shadow file.
--
Coy Hile
coy.hile@coyhile.com
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
