Description of problem: Customer wishes to force users to change their password on first login to Red Hat Enterprise 3 system when connection is via ssh only. I spoke with Nalin about this a while back and was told this does not work. The customer says that is a regression since Red Hat Enterprise Linux 2.1 as he says it works fine there. The error he sees when he tries this on RHEL3 is: "PAM rejected by account configuration" The steps he took on RHEL2.1 and wants to continue to use on RHEL3 are: 1.) passwd <username> -change user's password to a generic one 2.) chage -d 0 <username>
procedure as above: $ ssh username@host username@host's password: WARNING: Your password has expired. You must change your password now and login again! Changing password for user USERNAME. Changing password for USERNAME (current) UNIX password: ******* passwd: Authentication token manipulation error Connection to HOST closed. $ cat /etc/redhat-release Red Hat Enterprise Linux WS release 3 (Taroon Update 2) System is "up2date" current as of 2004/80/06. $ rpm -q openssh openssl pam openssh-3.6.1p2-33.30.1 openssl-0.9.7a-33.4 pam-0.75-54 Also occurs with openssh-3.8.1p1 built w/ the 3.6.1p2-33.30.1 spec $ cat /etc/pam.d/sshd #%PAM-1.0 auth required pam_stack.so service=system-auth auth required pam_nologin.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth session required pam_limits.so session optional pam_console.so $ cat /etc/ssh/sshd_conf AuthorizedKeysFile .ssh/authorized_keys ChallengeResponseAuthentication yes HostbasedAuthentication no HostKey /etc/ssh/ssh_host_dsa_key IgnoreRhosts yes LogLevel INFO PermitRootLogin no Port 22 Protocol 2 SyslogFacility AUTH TCPKeepAlive yes X11DisplayOffset 10 X11Forwarding yes X11UseLocalhost yes Subsystem sftp /usr/libexec/openssh/sftp-server
up2date to kernel-smp-2.4.21-15.0.4.EL from kernel-smp-2.4.21-15.0.3.EL solves my problem above. The problem does not occur on stock kernel-smp-2.4.21-15.EL. (RHEL3u2)
*** This bug has been marked as a duplicate of 124602 ***