I have setup SSH - single sign on using kerberos V5. When a user password has expired , it returns 'Warning: password has expired.' and allows the user to login! I even made changes in the /etc/pam.d/password-auth
such that pam_krb5.so
comes above pam_unix.so
:
Auth stack:
auth requisite pam_krb5.so uid >= 500
#Google authentication configuration module
auth [success=1 default=ignore] pam_access.so accessfile=/etc/security/access-local.conf
auth requisite pam_google_authenticator.so
auth [success=1 default=ignore] pam_unix.so nullok try_first_pass
auth required pam_deny.so
auth requisite pam_succeed_if.so uid >= 0 quiet
Account stack:
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so uid >= 500
account required pam_permit.so
Please suggest any changes to prevent users with expired passwords from login.
LOG :
krb5kdc.log
Jun 03 11:34:29 <HOST-NAME> krb5kdc[1752](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.181.40: CLIENT KEY EXPIRED: testyoga@EXAMPLE.COM for krbtgt/EXAMPLE.COM@EXAMPLE.COM, Password has expired
Jun 03 11:34:47 <HOST-NAME> krb5kdc[1752](info): AS_REQ (4 etypes {18 17 16 23}) 192.168.181.40: ISSUE: authtime 1464933887, etypes {rep=18 tkt=18 ses=18}, testyoga@EXAMPLE.COM for kadmin/changepw@EXAMPLE.COM –
/var/log/auth.log
/var/log/auth.log : /var/log/auth.log : pam_krb5[24516]: authentication succeeds for 'testyoga' (testyoga@EXAMPLE.COM) –