Question

SSH users unable to change passwords upon expiration

Asked by: CCBIL

Environment overview:
OS: CentOS 5.3
Kernel: 2.6.18-128.4.1.el5 #1 SMP
OpenSSH 4.3p2

Summary of Problem

Users connecting to the server via SSH are unable to change their passwords if they have expired  (see code sample for details).  This issue affects SSH users only, console and telnet users do not experience the issue.  

What I have looked at:

/etc/ssh/sshd_config file:
#StrictModes yes
#PermitEmptyPasswords no
PasswordAuthentication yes
UsePAM yes

/etc/pam.d/sshd/

#%PAM-1.0
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so

/etc/pam.d/system-auth

auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so


gut feeling tells me this is an issue with PAM.



login as: user
user@hosts password: 
You are required to change your password immediately (password aged)
Last login: Mon Sep 21 14:02:41 2009 from workstation.net
 
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user user.
Changing password for user
(current) UNIX password: 
passwd: Authentication token manipulation error

                                  
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:

Select allOpen in new window

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-09-21 at 12:19:35ID24749492
Tags

CentOS 5.3

,

RHEL 5.3

,

PAM

,

OpenSSH

Topics

Linux Network Security

,

Red Hat Linux

,

Linux

Participating Experts
1
Points
0
Comments
16

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. SSH
    Hi,I've got several servers and all of them run ssh. I've just added another server, but I'm unable to establish an ssh connection to it. I cant connect to it from my pc, or from any of the other servers. All the other servers can connect to each other. The error Im getting w...
  2. SSH Problems
    Hi, I recently re-installed linux on one of my machines, and installed fine. However, ssh was installed but doesnt seem to be working. I can get an ssh connection from this machine to another machine, but I cant get an ssh connection to it from anywhere. The error I'm getti...
  3. SSH
    I forgot to check allow ssh during the install of Redhat 9 on one of my boxes, and I need to be able to SSH into the box. How can I get this box to accept SSH? Thanks. Kevin
  4. ssh problems
    if i try to ssh into any other host, or localhost I get "Host key verification failed." This happens when I try to connect to ANY other host, internal or external to my network.I have tried to regenerate my host keys on my server and restart sshd. any ideas? ssh lo...
  5. SSH server unreachable when server overloaded - how t…
    Hello, sometimes my webserver get overloaded (spamassasin, buggy url rewriting,...) I know how to manage that, but my only concern is how to reach the ssh server at that time. What i've noticed is that even if the server get overloaded (Load average > 10) every internet s...
  6. ssh setting
    recently, I can not connect my server from my server LAN IP with SSH, but i connect through my server Public IP. at this time , I set my host.allow ---sshd : ALL: ALLOW second, i try to modify my host.dany and host.allow. i found i put my domain name into my hosts.allow...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: mrcustardPosted on 2009-09-21 at 13:31:08ID: 25387277

How did you add the user to /etc/passwd? Did you do it manually or with "useradd"?

Also can you post the output of the following command?

cat /etc/shadow | grep <username>

 

by: CCBILPosted on 2009-09-21 at 13:36:38ID: 25387328

The users were added with useradd

user:$1$Gxs1tJL.$q.1iqaPSRiCjrCxHD2i.0/:14124:3:30:7:::

each user must change their password every 30 days and cannot change their password more than 1 time within a 3 day period.

 

by: mrcustardPosted on 2009-09-21 at 13:42:50ID: 25387387

Are you using LDAP or just local login's?

 

by: CCBILPosted on 2009-09-21 at 13:47:19ID: 25387428

Just local logins

 

by: mrcustardPosted on 2009-09-22 at 07:53:41ID: 25393505

Can you post what /var/log/messages says around the time that you are receiving the error?

 

by: CCBILPosted on 2009-09-22 at 07:58:59ID: 25393569

Nothing gets logged to /var/log/messages , however I do have messages in /var/log/secure

Sep 22 09:56:07 login: pam_unix(remote:account): expired password for user user(password aged)
Sep 22 09:56:24 login: Authentication token manipulation error

 

by: mrcustardPosted on 2009-09-22 at 08:08:26ID: 25393689

Can you please post ouput from the following:

lsattr /etc/shadow
lsattr /etc/passwd

Also are you running SELinux? You can find out what state it's in by using: getenforce

 

by: CCBILPosted on 2009-09-22 at 08:35:41ID: 25394028

lsattr output
------------- shadow
------------- passwd
ls -l output
-r-------- 1 root root 23874 Sep 22 09:56 shadow
-rw-r--r-- 1 root root 25947 Sep 21 11:39 passwd
-rwxr-xr-x 1 root root 27768 Jan  6  2007 /usr/bin/passwd

SELinux is set to Permissive

 

by: CCBILPosted on 2009-09-22 at 08:36:46ID: 25394043

Again this is only an issue with SSH users.  Users who use telnet can change their passwords without issue.

 

by: mrcustardPosted on 2009-09-22 at 10:56:02ID: 25395593

Are you trying to make sure that your users can't use the any previous passwords? If so did you create this file: /etc/security/opasswd?

 

by: CCBILPosted on 2009-09-22 at 10:57:41ID: 25395612

Correct and that file does exist.

 

by: mrcustardPosted on 2009-09-22 at 11:07:00ID: 25395690

Can you look for the following line in this file /etc/pam.d/system-auth

password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow remember=5

It should have some "remember" level

 

by: CCBILPosted on 2009-09-22 at 11:15:17ID: 25395790

Made the change, results still the same.

Also here are the debug messages for sshd 

debug1: userauth-request for user user service ssh-connection method none
debug1: attempt 0 failures 0
debug2: monitor_read: 7 used once, disabling now
debug2: input_userauth_request: setting up authctxt for user
debug1: PAM: initializing for "user"
debug2: input_userauth_request: try method none
debug1: PAM: setting PAM_RHOST to "ccb1992.ccbcreditservices.net"
debug1: PAM: setting PAM_TTY to "ssh"
debug2: monitor_read: 46 used once, disabling now
debug2: monitor_read: 3 used once, disabling now
debug2: monitor_read: 4 used once, disabling now
debug1: userauth-request for user user service ssh-connection method password
debug1: attempt 1 failures 1
debug2: input_userauth_request: try method password
debug1: PAM: password authentication accepted for user
debug1: do_pam_account: called
Accepted password for user from 10.10.175.11 port 49212 ssh2
debug1: monitor_child_preauth: user has been authenticated by privileged process
debug2: mac_init: found hmac-sha1
debug2: mac_init: found hmac-sha1
debug1: temporarily_use_uid: 924/924 (e=0/0)
debug1: ssh_gssapi_storecreds: Not a GSSAPI mechanism
debug1: restore_uid: 0/0
debug1: PAM: establishing credentials
debug2: User child is on pid 11594
debug1: PAM: reinitializing credentials
debug1: permanently_set_uid: 924/924
debug2: set_newkeys: mode 0
debug2: cipher_init: set keylen (16 -> 32)
debug2: set_newkeys: mode 1
debug2: cipher_init: set keylen (16 -> 32)
debug1: Entering interactive session for SSH2.
debug2: fd 6 setting O_NONBLOCK
debug2: fd 7 setting O_NONBLOCK
debug1: server_init_dispatch_20
debug1: server_input_channel_open: ctype session rchan 256 win 16384 max 16384
debug1: input_session_request
debug1: channel 0: new [server-session]
debug1: session_new: init
debug1: session_new: session 0
debug1: session_open: channel 0
debug1: session_open: session 0: link with channel 0
debug1: server_input_channel_open: confirm session
debug1: server_input_channel_req: channel 0 request pty-req reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req pty-req
debug1: Allocating pty.
debug1: session_new: init
debug1: session_new: session 0
debug1: user_context: user_u:system_r:unconfined_t old_tty_context: root:object_r:devpts_t
debug1: session_pty_req: session 0 alloc /dev/pts/178
debug1: server_input_channel_req: channel 0 request shell reply 1
debug1: session_by_channel: session 0 channel 0
debug1: session_input_channel_req: session 0 req shell
debug2: fd 3 setting TCP_NODELAY
debug1: Setting controlling tty using TIOCSCTTY.
debug2: channel 0: rfd 9 isatty
debug2: fd 9 setting O_NONBLOCK
debug2: channel 0: read<=0 rfd 9 len -1
debug2: channel 0: read failed
debug2: channel 0: close_read
debug2: channel 0: input open -> drain
debug2: channel 0: ibuf empty
debug2: channel 0: send eof
debug2: channel 0: input drain -> closed
debug2: notify_done: reading
debug1: Received SIGCHLD.
debug1: session_by_pid: pid 11595
debug1: session_exit_message: session 0 channel 0 pid 11595
debug2: channel 0: request exit-status confirm 0
debug1: session_exit_message: release channel 0
debug2: channel 0: write failed
debug2: channel 0: close_write
debug2: channel 0: output open -> closed
debug1: session_by_tty: session 0 tty /dev/pts/178
debug1: session_pty_cleanup: session 0 release /dev/pts/178
debug2: channel 0: send close
debug2: channel 0: rcvd close
debug2: channel 0: is dead
debug2: channel 0: gc: notify user
debug1: session_by_channel: session 0 channel 0
debug1: session_close_by_channel: channel 0 child 0
debug1: session_close: session 0 pid 0
debug2: channel 0: gc: user detached
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: server-session, nchannels 1
Connection closed by 10.10.175.11
debug1: do_cleanup
Closing connection to 10.10.175.11
debug1: PAM: cleanup
debug1: PAM: deleting credentials
debug1: PAM: closing session

                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:

Select allOpen in new window

 

by: mrcustardPosted on 2009-09-22 at 11:29:44ID: 25395941

Did you restart sshd after making the change? Just double checking ...

 

by: CCBILPosted on 2009-09-22 at 11:37:46ID: 25396015

More info from the logs.
The following was listed in /var/log/secure after the user tried to change their password.

Sep 22 13:26:45  passwd: pam_unix(passwd:chauthtok): helper binary execve failed: Permission denied
Sep 22 13:26:45  passwd: pam_unix(passwd:chauthtok): unix_update returned error 9

After I found this I looked at the permissions on /usr/bin/passwd again.  I set the suid bit for /usr/bin/passwd.

SSH users can now change their own passwords.

 

by: mrcustardPosted on 2009-09-22 at 11:46:51ID: 25396098

Great - I'm glad you were able to find a solution!

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...