FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 06-14-2011, 10:03 PM
"David Barr"
 
Default sshd/pam_ldap not honoring passwordMustChange

I know this is outside the scope of the 389 list, but my Google-fu is
failing me on this one.

If I change the password to the account on the LDAP server and verify
"passwordmustchange: on," I can ssh in to the test host with the new
password all day long, and never get asked to change it.

I'm hoping someone has seen a document recently that they could link to.
I've seen the "PAM Configuration for LDAP Client Systems" page on the
wiki. That deals more with setting password expiration, though.

Thanks!
David

--
David - Offbeat http://dafydd.livejournal.com
dafydd - Online http://pgp.mit.edu/
Battalion 4 - Black Rock City Emergency Services Department
Integrity*Commitment*Communication*Support


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 06-15-2011, 05:21 PM
Aaron Hagopian
 
Default sshd/pam_ldap not honoring passwordMustChange

I have not seen or used the passwordMustChange attribute before but I can tell you that if you set the passwordExpirationTime as following:


passwordExpirationTime: 19700101000000Z
It should force the user to change their password on their next login. *Keep in mind you will not get a prompt if use use a passwordless ssh login via rsa key exchange.


Hope that helps.
Thanks,Aaron

On Tue, Jun 14, 2011 at 5:03 PM, David Barr <dafydd@dafydd.com> wrote:


I know this is outside the scope of the 389 list, but my Google-fu is

failing me on this one.



If I change the password to the account on the LDAP server and verify

"passwordmustchange: on," I can ssh in to the test host with the new

password all day long, and never get asked to change it.



I'm hoping someone has seen a document recently that they could link to.

I've seen the "PAM Configuration for LDAP Client Systems" page on the

wiki. That deals more with setting password expiration, though.



Thanks!

David



--

David - Offbeat * * * * * * * *http://dafydd.livejournal.com

dafydd - Online * * * * * * * *http://pgp.mit.edu/

Battalion 4 - Black Rock City Emergency Services Department

* * * Integrity*Commitment*Communication*Support





--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users



--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 06-20-2011, 11:27 PM
"David Barr"
 
Default sshd/pam_ldap not honoring passwordMustChange

passwordExpirationTime might be the root of the problem.

1) Set the user's password in the Console via right-click and
"Properties." Click "Okay."

2) Open Advanced Properties and note that passwordExpirationTime is
19700101000001Z.

3) Log in as the test user with the reset password. The login is
successful, and no password change is required.

4) Return to Advanced Properties, and change passwordExpirationTime to
19700101000000Z without out changing the password in Step 1.

5) Log in as the test user with the reset password from step 1. Be forced
through the password change process. Note that the session terminates
after a good, new password is set.

6) Return to Advanced Properties and note that passwordExpirationTime is
19700101000001Z, again.

I'm not sure if I've missed some aspect of resetting a password from the
console, or if RHDS has a bug in failing to modify passwordExpirationTime
when the password is changed, or if this is something else entirely.

Thanks!
David


On Wed, June 15, 2011 10:21, Aaron Hagopian wrote:
> I have not seen or used the passwordMustChange attribute before but I can
> tell you that if you set the passwordExpirationTime as following:
>
> passwordExpirationTime: 19700101000000Z
>
>
> It should force the user to change their password on their next login.
> Keep
> in mind you will not get a prompt if use use a passwordless ssh login via
> rsa key exchange.
>
> Hope that helps.
>
> Thanks,
> Aaron
>
>
> On Tue, Jun 14, 2011 at 5:03 PM, David Barr <dafydd@dafydd.com> wrote:
>
>> I know this is outside the scope of the 389 list, but my Google-fu is
>> failing me on this one.
>>
>> If I change the password to the account on the LDAP server and verify
>> "passwordmustchange: on," I can ssh in to the test host with the new
>> password all day long, and never get asked to change it.
>>
>> I'm hoping someone has seen a document recently that they could link to.
>> I've seen the "PAM Configuration for LDAP Client Systems" page on the
>> wiki. That deals more with setting password expiration, though.
>>
>> Thanks!
>> David

--
David - Offbeat http://dafydd.livejournal.com
dafydd - Online http://pgp.mit.edu/
Battalion 4 - Black Rock City Emergency Services Department
Integrity*Commitment*Communication*Support


--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 09:20 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org