I have setup SSH – single sign on using kerberos V5. When a user password has expired , it returns 'Warning: password has expired.' and allows the user to login! I even made changes in the /etc/pam.d/password-auth
such that pam_krb5.so
comes above pam_unix.so
:
Auth stack:
auth requisite pam_krb5.so uid >= 500
#Google authentication configuration module
auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf
auth requisite pam_google_authenticator.so
auth [success=1 default=ignore] pam_unix.so nullok try_first_pass
auth required pam_deny.so
auth requisite pam_succeed_if.so uid >= 0 quiet
Account stack:
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so uid >= 500
account required pam_permit.so
Please suggest any changes to prevent users with expired passwords from login.
LOG :
krb5kdc.log
Jun 03 11:34:29 <HOST-NAME> krb5kdc[1752](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.181.40: CLIENT KEY EXPIRED: testyoga@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM, Password has expired
Jun 03 11:34:47 <HOST-NAME> krb5kdc[1752](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.181.40: ISSUE: authtime 1464933887, etypes {rep=18 tkt=18 ses=18}, testyoga@EXAMPLE.COM for kadmin/changepw@EXAMPLE.COM –
/var/log/auth.log
/var/log/auth.log : /var/log/auth.log : pam_krb5[24516]: authentication succeeds for 'testyoga' (testyoga@EXAMPLE.COM) –
Best Answer
Edit:
Based on the contents of the provided
account
stack, it looks likepam_krb5.so
will be skipped ifpam_localuser.so
succeeds. This is the most likely cause of the password aging restrictions not being applied.Here's what we know so far:
pam_krb5
succeeds in authentication despite this.I suspect your problem is that you don't have the
account
stack properly configured. There are a few different implementations ofpam_krb5
out there, and not all of them implement the password aging check inside of theauth
stack:http://linux.die.net/man/8/pam_krb5
The job of the
account
stack is to enforce access policies, regardless of whether the authentication was successful. This is important, as theauth
stack is frequently bypassed when using key based authentication. It is up to individual developers to decide whether password aging should also result in a failure when calling the module in theauth
context.Conversely, the
pam_krb5
implementation maintained by Russ Allbery (my preferred one) would have caught this in theauth
stack.https://www.eyrie.org/~eagle/software/pam-krb5/pam-krb5.html