Red Hat Bugzilla – Bug 117429
Unable to force password change on first login via ssh.
Last modified: 2007-11-30 17:07:00 EST
Description of problem:
Customer wishes to force users to change their password on first login
to Red Hat Enterprise 3 system when connection is via ssh only. I
spoke with Nalin about this a while back and was told this does not work.
The customer says that is a regression since Red Hat Enterprise Linux
2.1 as he says it works fine there. The error he sees when he tries
this on RHEL3 is:
"PAM rejected by account configuration"
The steps he took on RHEL2.1 and wants to continue to use on RHEL3 are:
1.) passwd <username>
-change user's password to a generic one
2.) chage -d 0 <username>
procedure as above:
$ ssh username@host
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user USERNAME.
Changing password for USERNAME
(current) UNIX password: *******
passwd: Authentication token manipulation error
Connection to HOST closed.
$ cat /etc/redhat-release
Red Hat Enterprise Linux WS release 3 (Taroon Update 2)
System is "up2date" current as of 2004/80/06.
$ rpm -q openssh openssl pam
Also occurs with openssh-3.8.1p1 built w/ the 3.6.1p2-33.30.1 spec
$ cat /etc/pam.d/sshd
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session required pam_limits.so
session optional pam_console.so
$ cat /etc/ssh/sshd_conf
Subsystem sftp /usr/libexec/openssh/sftp-server
up2date to kernel-smp-2.4.21-15.0.4.EL from
kernel-smp-2.4.21-15.0.3.EL solves my problem above.
The problem does not occur on stock kernel-smp-2.4.21-15.EL. (RHEL3u2)
*** This bug has been marked as a duplicate of 124602 ***