[prev in list] [next in list] [prev in thread] [next in thread]
List: kerberos
Subject: Re: password expiration not prompting - solaris 10
From: Russ Allbery <rra () stanford ! edu>
Date: 2009-11-26 1:55:57
Message-ID: 87aayaoxqq.fsf () windlord ! stanford ! edu
[Download RAW message or body]
CT <caltri@gmail.com> writes:
> Having an issue where when an account password has expired it doesn't
> prompt user to change it and lets user login. It does show a message
> saying the it has expired.
Sun intentionally disables the normal Kerberos library support for
changing passwords when authenticating with expired passwords. I'm not
sure why they chose to do that.
If you're running into this in the PAM context, you can work around this
by using a PAM module and an application that supports the fully correct
PAM method of handling expired accounts (return success from auth and then
indicate a password change is needed in the account stack), or you can use
a PAM module that detects and works around this case by doing the password
change prompting itself in the auth stack (my pam-krb5 with force_pwchange
set in the options, for instance).
--
Russ Allbery (rra@stanford.edu) <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic