Dear Lukas,
In this case it's ssh. I just tried it using su - and it worked as expected.
- Seth
su - worked
$ su - test-user Password: Password expired. Change your password now. Current Password: New password: Retype new password:
>>>>>>>>>> pam section of auth people for ssh that did not prompt
[sssd[be[auth-people]]] [sbus_dispatch] (0x4000): dbus conn: 0x24302d0 [sssd[be[auth-people]]] [sbus_dispatch] (0x4000): Dispatching. [sssd[be[auth-people]]] [sbus_message_handler] (0x4000): Received SBUS method [pamHandler] [sssd[be[auth-people]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit [sssd[be[auth-people]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [pamHandler] [sssd[be[auth-people]]] [be_req_set_domain] (0x0400): Changing request domain from [auth-people] to [auth-people] [sssd[be[auth-people]]] [be_pam_handler] (0x0100): Got request with the following data [sssd[be[auth-people]]] [pam_print_data] (0x0100): command: PAM_SETCRED [sssd[be[auth-people]]] [pam_print_data] (0x0100): domain: auth-people [sssd[be[auth-people]]] [pam_print_data] (0x0100): user: test-user [sssd[be[auth-people]]] [pam_print_data] (0x0100): service: sshd [sssd[be[auth-people]]] [pam_print_data] (0x0100): tty: ssh [sssd[be[auth-people]]] [pam_print_data] (0x0100): ruser: [sssd[be[auth-people]]] [pam_print_data] (0x0100): rhost: ***.***.***.*** [sssd[be[auth-people]]] [pam_print_data] (0x0100): authtok type: 0 [sssd[be[auth-people]]] [pam_print_data] (0x0100): newauthtok type: 0 [sssd[be[auth-people]]] [pam_print_data] (0x0100): priv: 1 [sssd[be[auth-people]]] [pam_print_data] (0x0100): cli_pid: 27189 [sssd[be[auth-people]]] [pam_print_data] (0x0100): logon name: not set [sssd[be[auth-people]]] [be_pam_handler] (0x0100): Sending result [0][auth-people] [sssd[be[auth-people]]] [sbus_dispatch] (0x4000): dbus conn: 0x24302d0 [sssd[be[auth-people]]] [sbus_dispatch] (0x4000): Dispatching. [sssd[be[auth-people]]] [sbus_message_handler] (0x4000): Received SBUS method [pamHandler] [sssd[be[auth-people]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit [sssd[be[auth-people]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [pamHandler] [sssd[be[auth-people]]] [be_req_set_domain] (0x0400): Changing request domain from [auth-people] to [auth-people] [sssd[be[auth-people]]] [be_pam_handler] (0x0100): Got request with the following data [sssd[be[auth-people]]] [pam_print_data] (0x0100): command: PAM_OPEN_SESSION [sssd[be[auth-people]]] [pam_print_data] (0x0100): domain: auth-people [sssd[be[auth-people]]] [pam_print_data] (0x0100): user: test-user [sssd[be[auth-people]]] [pam_print_data] (0x0100): service: sshd [sssd[be[auth-people]]] [pam_print_data] (0x0100): tty: ssh [sssd[be[auth-people]]] [pam_print_data] (0x0100): ruser: [sssd[be[auth-people]]] [pam_print_data] (0x0100): rhost: ***.***.***.*** [sssd[be[auth-people]]] [pam_print_data] (0x0100): authtok type: 0 [sssd[be[auth-people]]] [pam_print_data] (0x0100): newauthtok type: 0 [sssd[be[auth-people]]] [pam_print_data] (0x0100): priv: 1 [sssd[be[auth-people]]] [pam_print_data] (0x0100): cli_pid: 27189 [sssd[be[auth-people]]] [pam_print_data] (0x0100): logon name: not set [sssd[be[auth-people]]] [be_pam_handler] (0x0100): Sending result [0][auth-people] [sssd[be[auth-people]]] [sbus_dispatch] (0x4000): dbus conn: 0x24302d0 [sssd[be[auth-people]]] [sbus_dispatch] (0x4000): Dispatching. [sssd[be[auth-people]]] [sbus_message_handler] (0x4000): Received SBUS method [pamHandler] [sssd[be[auth-people]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit [sssd[be[auth-people]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [pamHandler] [sssd[be[auth-people]]] [be_req_set_domain] (0x0400): Changing request domain from [auth-people] to [auth-people] [sssd[be[auth-people]]] [be_pam_handler] (0x0100): Got request with the following data [sssd[be[auth-people]]] [pam_print_data] (0x0100): command: PAM_SETCRED [sssd[be[auth-people]]] [pam_print_data] (0x0100): domain: auth-people [sssd[be[auth-people]]] [pam_print_data] (0x0100): user: test-user [sssd[be[auth-people]]] [pam_print_data] (0x0100): service: sshd [sssd[be[auth-people]]] [pam_print_data] (0x0100): tty: ssh [sssd[be[auth-people]]] [pam_print_data] (0x0100): ruser: [sssd[be[auth-people]]] [pam_print_data] (0x0100): rhost: ***.***.***.*** [sssd[be[auth-people]]] [pam_print_data] (0x0100): authtok type: 0 [sssd[be[auth-people]]] [pam_print_data] (0x0100): newauthtok type: 0 [sssd[be[auth-people]]] [pam_print_data] (0x0100): priv: 0 [sssd[be[auth-people]]] [pam_print_data] (0x0100): cli_pid: 27192 [sssd[be[auth-people]]] [pam_print_data] (0x0100): logon name: not set [sssd[be[auth-people]]] [be_pam_handler] (0x0100): Sending result [0][auth-people]
>>>> /etc/pam/password-auth
auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so
account required pam_access.so account sufficient pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so
>>>>>>> /etc/pam/sshd
auth required pam_sepermit.so auth include password-auth account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke session include password-auth
>>>>>>>> /var/log/secure
sshd[27189]: pam_sss(sshd:auth): received for user test-user: 12 (Authentication token is no longer valid; new one required) sshd[27189]: Accepted password for test-user from ***.***.***.*** port 50120 ssh2 sshd[27189]: pam_unix(sshd:session): session opened for user test-user by (uid=0)
On (20/11/14 09:39), Seth Sims wrote:
Dear Lukas,
In this case it's ssh. I just tried it using su - and it worked as expected.
- Seth
su - worked
$ su - test-user Password: Password expired. Change your password now. Current Password: New password: Retype new password:
>>>>>>>>>>> pam section of auth people for ssh that did not prompt
[sssd[be[auth-people]]] [sbus_dispatch] (0x4000): dbus conn: 0x24302d0 [sssd[be[auth-people]]] [sbus_dispatch] (0x4000): Dispatching. [sssd[be[auth-people]]] [sbus_message_handler] (0x4000): Received SBUS method [pamHandler] [sssd[be[auth-people]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit [sssd[be[auth-people]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [pamHandler] [sssd[be[auth-people]]] [be_req_set_domain] (0x0400): Changing request domain from [auth-people] to [auth-people] [sssd[be[auth-people]]] [be_pam_handler] (0x0100): Got request with the following data [sssd[be[auth-people]]] [pam_print_data] (0x0100): command: PAM_SETCRED [sssd[be[auth-people]]] [pam_print_data] (0x0100): domain: auth-people [sssd[be[auth-people]]] [pam_print_data] (0x0100): user: test-user [sssd[be[auth-people]]] [pam_print_data] (0x0100): service: sshd [sssd[be[auth-people]]] [pam_print_data] (0x0100): tty: ssh [sssd[be[auth-people]]] [pam_print_data] (0x0100): ruser: [sssd[be[auth-people]]] [pam_print_data] (0x0100): rhost: ***.***.***.*** [sssd[be[auth-people]]] [pam_print_data] (0x0100): authtok type: 0 [sssd[be[auth-people]]] [pam_print_data] (0x0100): newauthtok type: 0 [sssd[be[auth-people]]] [pam_print_data] (0x0100): priv: 1 [sssd[be[auth-people]]] [pam_print_data] (0x0100): cli_pid: 27189 [sssd[be[auth-people]]] [pam_print_data] (0x0100): logon name: not set [sssd[be[auth-people]]] [be_pam_handler] (0x0100): Sending result [0][auth-people] [sssd[be[auth-people]]] [sbus_dispatch] (0x4000): dbus conn: 0x24302d0 [sssd[be[auth-people]]] [sbus_dispatch] (0x4000): Dispatching. [sssd[be[auth-people]]] [sbus_message_handler] (0x4000): Received SBUS method [pamHandler] [sssd[be[auth-people]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit [sssd[be[auth-people]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [pamHandler] [sssd[be[auth-people]]] [be_req_set_domain] (0x0400): Changing request domain from [auth-people] to [auth-people] [sssd[be[auth-people]]] [be_pam_handler] (0x0100): Got request with the following data [sssd[be[auth-people]]] [pam_print_data] (0x0100): command: PAM_OPEN_SESSION [sssd[be[auth-people]]] [pam_print_data] (0x0100): domain: auth-people [sssd[be[auth-people]]] [pam_print_data] (0x0100): user: test-user [sssd[be[auth-people]]] [pam_print_data] (0x0100): service: sshd [sssd[be[auth-people]]] [pam_print_data] (0x0100): tty: ssh [sssd[be[auth-people]]] [pam_print_data] (0x0100): ruser: [sssd[be[auth-people]]] [pam_print_data] (0x0100): rhost: ***.***.***.*** [sssd[be[auth-people]]] [pam_print_data] (0x0100): authtok type: 0 [sssd[be[auth-people]]] [pam_print_data] (0x0100): newauthtok type: 0 [sssd[be[auth-people]]] [pam_print_data] (0x0100): priv: 1 [sssd[be[auth-people]]] [pam_print_data] (0x0100): cli_pid: 27189 [sssd[be[auth-people]]] [pam_print_data] (0x0100): logon name: not set [sssd[be[auth-people]]] [be_pam_handler] (0x0100): Sending result [0][auth-people] [sssd[be[auth-people]]] [sbus_dispatch] (0x4000): dbus conn: 0x24302d0 [sssd[be[auth-people]]] [sbus_dispatch] (0x4000): Dispatching. [sssd[be[auth-people]]] [sbus_message_handler] (0x4000): Received SBUS method [pamHandler] [sssd[be[auth-people]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit [sssd[be[auth-people]]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [pamHandler] [sssd[be[auth-people]]] [be_req_set_domain] (0x0400): Changing request domain from [auth-people] to [auth-people] [sssd[be[auth-people]]] [be_pam_handler] (0x0100): Got request with the following data [sssd[be[auth-people]]] [pam_print_data] (0x0100): command: PAM_SETCRED [sssd[be[auth-people]]] [pam_print_data] (0x0100): domain: auth-people [sssd[be[auth-people]]] [pam_print_data] (0x0100): user: test-user [sssd[be[auth-people]]] [pam_print_data] (0x0100): service: sshd [sssd[be[auth-people]]] [pam_print_data] (0x0100): tty: ssh [sssd[be[auth-people]]] [pam_print_data] (0x0100): ruser: [sssd[be[auth-people]]] [pam_print_data] (0x0100): rhost: ***.***.***.*** [sssd[be[auth-people]]] [pam_print_data] (0x0100): authtok type: 0 [sssd[be[auth-people]]] [pam_print_data] (0x0100): newauthtok type: 0 [sssd[be[auth-people]]] [pam_print_data] (0x0100): priv: 0 [sssd[be[auth-people]]] [pam_print_data] (0x0100): cli_pid: 27192 [sssd[be[auth-people]]] [pam_print_data] (0x0100): logon name: not set [sssd[be[auth-people]]] [be_pam_handler] (0x0100): Sending result [0][auth-people]
>>>>> /etc/pam/password-auth
auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so
account required pam_access.so account sufficient pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so
>>>>>>>> /etc/pam/sshd
auth required pam_sepermit.so auth include password-auth account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke session include password-auth
>>>>>>>>> /var/log/secure
sshd[27189]: pam_sss(sshd:auth): received for user test-user: 12 (Authentication token is no longer valid; new one required)
The pam error code 12(PAM_NEW_AUTHTOK_REQD) was not lost.
sshd[27189]: Accepted password for test-user from ***.***.***.*** port 50120 ssh2 sshd[27189]: pam_unix(sshd:session): session opened for user test-user by (uid=0)
I have no idea why it was ignored by sshd.
LS
sssd-users@lists.fedorahosted.org