expired passwords

Chris Kottaridis chriskot at quietwind.net
Tue Mar 11 18:36:25 UTC 2008


Sorry, I wasn't clear.

Here is what I get when I try and telnet in to localhost:

>> telnet localhost
>Trying 127.0.0.1...
>Connected to localhost.
>Escape character is '^]'.
>
>host10 login: tester
>Password:
>You are required to change your password immediately (password aged)
>
>Authentication token manipulation error
>Connection closed by foreign host

So, I guess if I didn't get the "Authentication token manipulation
error"  then it'd prompt me for a new password. I get the same kind of
thing when trying to login on the serial port. 

Interestingly enough if I ssh into the machine from another machine I
seem to get what I want:

>$ ssh tester at 172.25.33.60
>tester at 172.25.33.60's password:
>You are required to change your password immediately (password aged)
>
>
>WARNING: Your password has expired.
>You must change your password now and login again!
>Changing password for tester
>(current) UNIX password:            

Is this related to some sort of PAM configuration options
in /etc/pam.d/login or possibly login.defs ?

Why would ssh work OK, but telnet to localhost and serial port access
not work OK ?

Thanks
    Chris Kottaridis    (chriskot at quietwind.net)

On Tue, 2008-03-11 at 16:32 +0000, Stuart Sears wrote:
> Chris Kottaridis wrote:
> > When I run:
> > 
> > $ passwd -e <username>
> > 
> > To expire a password for a user and then try to log back in for that
> > user it says that I need to update my password. and then I get back to
> > the login prompt.
> > 
> >> You are required to change your password immediately (root enforced)
> > 
> > I am expecting that it will ask to make a new password:
> > 
> >> login: adm1
> >> password: *******
> >> WARNING: Your password has expired
> >> You must change your password now and login again!
> >> Changing password for adm1
> >> Old password:
> >> Enter the new password (minimum of 5, maximum of 8 characters)
> >> Please use a combination of upper and lower case letters and numbers
> >> New password:
> >> Re-enter new password:
> >> Password changed.
> > 
> > The man page for login implies I should be able to set it at login time:
> > 
> > --------------------------------
> >  If password aging has been enabled for your account, you may be
> >  prompted for a new password before proceeding. You will be forced to
> >  provide your old password and the new password before continuing.
> >  Please refer to passwd(1) for more information.
> > --------------------------------
> > 
> > Am I doing something wrong from a sysadmin point of view or is there
> > some compile option that needs to be used to get the behavior that I
> > want ?
> 
> no you are not. This is down to the order in which login uses PAM to 
> check/change your password:
> 1. Do you know the (current) password for this account?
> 2. If so, We know who you are (and that you are entitled to use this 
> account) and can check your account details to set up your session.
> Once this is done, it becomes apparent that your password has expired 
> and needs changing.
> 3. We then go through the normal password changing routine.
> 
> 
> what exactly were you expecting to happen?
> 
> You type in an account name and immediately get told that the password 
> has expired?
> This is a security flaw, as it immediately exposes the fact that you 
> have typed in a valid account name (you could be anyone trying to login).
> Instead the system tries to authenticate you first - you are *always* 
> prompted for a password. If this fails, you (as a possible attacker) 
> don't actually know if you typed an incorrect username or an incorrect 
> password. (or failed for some other reason). All you get is 'login 
> incorrect'
> 
> Regards,
> 
> Stuart




More information about the users mailing list