Bug 117429 - Unable to force password change on first login via ssh.
Summary: Unable to force password change on first login via ssh.
Status: CLOSED DUPLICATE of bug 124602
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: openssh
Version: 3.0
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Brian Brock
Depends On:
TreeView+ depends on / blocked
Reported: 2004-03-03 21:17 UTC by Chris Kloiber
Modified: 2007-11-30 22:07 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2005-02-07 15:02:51 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Chris Kloiber 2004-03-03 21:17:16 UTC
Description of problem:

Customer wishes to force users to change their password on first login
to Red Hat Enterprise 3 system when connection is via ssh only. I
spoke with Nalin about this a while back and was told this does not work. 

The customer says that is a regression since Red Hat Enterprise Linux
2.1 as he says it works fine there. The error he sees when he tries
this on RHEL3 is:

"PAM rejected by account configuration"

The steps he took on RHEL2.1 and wants to continue to use on RHEL3 are:

1.) passwd <username> 
     -change user's password to a generic one 
2.) chage -d 0 <username>

Comment 1 Jason W. Mitchell 2004-08-07 18:11:34 UTC
procedure as above:

  $ ssh username@host
  username@host's password:
  WARNING: Your password has expired.
  You must change your password now and login again!
  Changing password for user USERNAME.
  Changing password for USERNAME
  (current) UNIX password: *******
  passwd: Authentication token manipulation error
  Connection to HOST closed.

$ cat /etc/redhat-release
Red Hat Enterprise Linux WS release 3 (Taroon Update 2)

System is "up2date" current as of 2004/80/06.

$ rpm -q openssh openssl pam

Also occurs with openssh-3.8.1p1 built w/ the 3.6.1p2-33.30.1 spec

$ cat /etc/pam.d/sshd
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    required     pam_limits.so
session    optional     pam_console.so

$ cat /etc/ssh/sshd_conf
AuthorizedKeysFile      .ssh/authorized_keys
ChallengeResponseAuthentication yes
HostbasedAuthentication no
HostKey /etc/ssh/ssh_host_dsa_key
IgnoreRhosts yes
LogLevel INFO
PermitRootLogin no
Port 22
Protocol 2
SyslogFacility AUTH
TCPKeepAlive yes
X11DisplayOffset 10
X11Forwarding yes
X11UseLocalhost yes
Subsystem       sftp    /usr/libexec/openssh/sftp-server

Comment 2 Jason W. Mitchell 2004-08-08 23:25:59 UTC
up2date to kernel-smp-2.4.21-15.0.4.EL from
kernel-smp-2.4.21-15.0.3.EL   solves my problem above.

The problem does not occur on stock kernel-smp-2.4.21-15.EL. (RHEL3u2)

Comment 3 Tomas Mraz 2005-02-07 15:02:51 UTC

*** This bug has been marked as a duplicate of 124602 ***

Note You need to log in before you can comment on or make changes to this bug.