Bug 117429

Summary: Unable to force password change on first login via ssh.
Product: Red Hat Enterprise Linux 3 Reporter: Chris Kloiber <ckloiber>
Component: opensshAssignee: Tomas Mraz <tmraz>
Status: CLOSED DUPLICATE QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.0CC: jason+redhat-bugzilla
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-02-07 15:02:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Chris Kloiber 2004-03-03 21:17:16 UTC
Description of problem:

Customer wishes to force users to change their password on first login
to Red Hat Enterprise 3 system when connection is via ssh only. I
spoke with Nalin about this a while back and was told this does not work. 

The customer says that is a regression since Red Hat Enterprise Linux
2.1 as he says it works fine there. The error he sees when he tries
this on RHEL3 is:

"PAM rejected by account configuration"

The steps he took on RHEL2.1 and wants to continue to use on RHEL3 are:

1.) passwd <username> 
     -change user's password to a generic one 
2.) chage -d 0 <username>

Comment 1 Jason W. Mitchell 2004-08-07 18:11:34 UTC
procedure as above:

  $ ssh username@host
  username@host's password:
  WARNING: Your password has expired.
  You must change your password now and login again!
  Changing password for user USERNAME.
  Changing password for USERNAME
  (current) UNIX password: *******
  passwd: Authentication token manipulation error
  Connection to HOST closed.


$ cat /etc/redhat-release
Red Hat Enterprise Linux WS release 3 (Taroon Update 2)

System is "up2date" current as of 2004/80/06.

$ rpm -q openssh openssl pam
openssh-3.6.1p2-33.30.1
openssl-0.9.7a-33.4
pam-0.75-54

Also occurs with openssh-3.8.1p1 built w/ the 3.6.1p2-33.30.1 spec

$ cat /etc/pam.d/sshd
#%PAM-1.0
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    required     pam_limits.so
session    optional     pam_console.so

$ cat /etc/ssh/sshd_conf
AuthorizedKeysFile      .ssh/authorized_keys
ChallengeResponseAuthentication yes
HostbasedAuthentication no
HostKey /etc/ssh/ssh_host_dsa_key
IgnoreRhosts yes
LogLevel INFO
PermitRootLogin no
Port 22
Protocol 2
SyslogFacility AUTH
TCPKeepAlive yes
X11DisplayOffset 10
X11Forwarding yes
X11UseLocalhost yes
Subsystem       sftp    /usr/libexec/openssh/sftp-server

Comment 2 Jason W. Mitchell 2004-08-08 23:25:59 UTC
up2date to kernel-smp-2.4.21-15.0.4.EL from
kernel-smp-2.4.21-15.0.3.EL   solves my problem above.

The problem does not occur on stock kernel-smp-2.4.21-15.EL. (RHEL3u2)

Comment 3 Tomas Mraz 2005-02-07 15:02:51 UTC

*** This bug has been marked as a duplicate of 124602 ***