[31579] in Kerberos


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

password expiration/change request fails to ask

daemon@ATHENA.MIT.EDU (Jeff Blaine)
Tue Oct 13 17:12:09 2009

Message-ID: <4AD4ECE7.6020309@kickflop.net>
Date: Tue, 13 Oct 2009 17:11:03 -0400
From: Jeff Blaine <jblaine@kickflop.net>
MIME-Version: 1.0
To: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

Solaris 10 SPARC OS
Solaris 10 / Sun sshd
MIT Kerberos 1.7
Russ Alberry's fantastic pam_krb5 3.15 linked to above

Solaris 9 + MIT Kerberos + RA pam_krb5 works!

RHELv5 with stock MIT Kerberos + RA pam_krb5 works!

The setup above fails.

On the client side, I merely see "Permission denied."
instead of being asked to change my expired password.

If anyone has any ideas, I would love to hear them.

% ssh cairo
jblaine@cairo's password:
Permission denied, please try again.

#
# all krb5kdc.log info matching the timestamp
#
Oct 13 16:54:10 kdc1 krb5kdc[2723](info): AS_REQ (7 etypes {18 17 16 23 
1 3 2}) xxx.xx.10.14: CLIENT KEY EXPIRED: jblaine@FOO.COM for 
krbtgt/FOO.COM@FOO.COM, Password has expired
Oct 13 16:54:10 kdc1 krb5kdc[2723](info): AS_REQ (7 etypes {18 17 16 23 
1 3 2}) xxx.xx.10.14: ISSUE: authtime 1255467250, etypes {rep=16 tkt=16 
ses=16}, jblaine@FOO.COM for kadmin/changepw@FOO.COM


#
# all *.debug syslog info matching the timestamp
#
Oct 13 16:54:10 cairo sshd[13611]: [ID 584047 auth.debug] (pam_krb5): 
jblaine: attempting authentication as jblaine@FOO.COM
Oct 13 16:54:10 cairo sshd[13611]: [ID 584047 auth.debug] (pam_krb5): 
jblaine: krb5_get_init_creds_password: Generic error (see e-text)
Oct 13 16:54:10 cairo sshd[13611]: [ID 584047 auth.debug] (pam_krb5): 
jblaine: pam_sm_authenticate: exit (failure)
Oct 13 16:54:10 cairo sshd[13611]: [ID 800047 auth.notice] Failed 
password for jblaine from xxx.xx.xx.xxx port 36735 ssh2

#
# /etc/pam.conf
#
sshd-password auth requisite    pam_authtok_get.so.1
sshd-password auth sufficient   pam_krb5RA.so try_first_pass forwardable 
minimum_uid=92 debug
sshd-password auth required     pam_unix_auth.so.1
sshd-password auth required     pam_unix_cred.so.1
sshd-password auth optional     pam_afs_session.so minimum_uid=92 debug
sshd-password session optional  pam_krb5RA.so minimum_uid=92 debug
sshd-password session optional  pam_afs_session.so minimum_uid=92 debug


________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[31579] in Kerberos

password expiration/change request fails to ask

daemon@ATHENA.MIT.EDU (Jeff Blaine)Tue Oct 13 17:12:09 2009

daemon@ATHENA.MIT.EDU (Jeff Blaine)
Tue Oct 13 17:12:09 2009