Visit Jeremy's Blog.
Go Back > Forums > Linux Forums > Linux - Server
User Name
Linux - Server This forum is for the discussion of Linux Software used in a server related context.


  Search this Thread
Old 03-11-2015, 06:01 PM   #1
LQ Newbie
Registered: Mar 2015
Posts: 1

Rep: Reputation: Disabled
PAM Authentication failure Authentication token no longer valid, allowed in anyway

Try to fix a security issue I discovered that allows users with expired passwords to authenticate anyway and be allowed access. Where might I fix this on RHEL 6? It's obviously set somewhere to ignore the authentication failure and expired token. Same user results below.

Expired Password:
sshd[14776]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<ip address> user=<username>
sshd[14776]: pam_sss(sshd:auth): received for user <username>: 12 (Authentication token is no longer valid; new one required)
sshd[14776]: Accepted password for <username> from <ip address> port <port number> ssh2
sshd[14776]: pam_unix(sshd:session): session opened for user <username> by (uid=0)

Non-expired Password:
sshd[22018]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=<ip address> user=<username>
sshd[22018]: Accepted password for <username> from <ip address> port <port number> ssh2
sec001 sshd[22018]: pam_unix(sshd:session): session opened for user <username> by (uid=0)
Old 03-12-2015, 03:37 AM   #2
Senior Member
Registered: Dec 2010
Location: Internet
Distribution: Linux Mint, SLES, CentOS, Red Hat
Posts: 2,385

Rep: Reputation: 477Reputation: 477Reputation: 477Reputation: 477Reputation: 477
Usually when a user password expires and it tries to authenticate over sshd it is asked to enter the existing password and then it prompt the user to change the password. If that is not the case it would be good to have a look at /etc/pam.d/system-auth-ac and /etc/pam.d/password-auth.

Do you have any system where it is working as per design I mean when sshing prompting to change the password if user password is expired? If yes, it will be a good idea to compare the files from a working system with a non-working system.

If possible, paste the output of the above mentioned files in this thread.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
vsftpd Authentication Failure - PAM Related? Xplorer4x4 Linux - Software 1 05-12-2013 08:52 PM
PAM authentication failure capibolso Linux - Newbie 1 05-01-2013 04:24 AM
PAM Authentication failure phillipewu Linux - Security 1 07-22-2010 02:06 AM
PAM User Login Authentication Failure robeb Linux - Security 5 11-16-2002 09:01 PM
NIS and pam/gdm authentication failure cquense Linux - Networking 0 07-05-2001 04:08 AM > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 06:34 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration