On a fresh Arch Linux installation, I'm trying to require the user to change password on first log in. I expire the password using passwd --expire username, but the user can the no longer log in. This message is shown:
You are required to change your password immediately (administrator enforced)
Authentication token manipulation errorAfter a few seconds, it returns to the login prompt.
What causes this error, can can it be fixed to allow the user to change password?
I get the same behavior whether I set a password, or delete the password with passwd --delete.
1 Answer
I was curious about that behavior so I tested it on my machine.
Reproduction
I create a new user
# useradd -m -s /bin/bash testI create a dummy password for it
# passwd test Geben Sie ein neues Passwort ein: Geben Sie das neue Passwort erneut ein:Test what I did so far into another terminal
$ su - test Passwort: $ # I'm in. $ exit # I'm out.Back to my root terminal, I try to do what you did...
# passwd --expire test passwd: Passwortablauf-Informationen geändert.Back to my normal terminal, I try to connect with the new user.
$ su - test Passwort: You are required to change your password immediately (administrator enforced) su: Fehler beim Ändern des AuthentifizierungstokenInteresting, I get the same as yourself.
Husking
So I was curious so I looked into the manual
# LC_ALL=en_US.UTF-8 man passwd #Comment# LC_ALL is needed because otherwise, I get the manual in german.And curiously it says:
-e, --expire Immediately expire an account's password. This in effect can force a user to change their password at the user's next login.I concluded that it's strange that the described behavior is not working...
So as I know pam.d is responsible for the login I looked for it into the journal.
# journalctl -g pam -xeIn the log, I saw the following.
Jul 28 xx:xx:xx funilrys su[xxxxx]: pam_unix(su-l:auth): authentication failure; logname= uid=1000 euid=0 tty=pts/4 ruser=funilrys rhost= user=test
Jul 28 xx:xx:xx funilrys su[xxxxx]: pam_unix(su-l:account): expired password for user test (root enforced)
Jul 28 xx:xx:xx funilrys su[xxxxx]: pam_warn(su-l:chauthtok): function=[pam_sm_chauthtok] flags=0x4020 service=[su-l] terminal=[pts/4] user=[test] ruser=[funilrys] rhost=[<unknown>]Note: As I log in with su the su-l is the service which is used.
That means that pam.d works properly but it does not handle the password change.
But I wasn't convinced, so I tested with SSH (I leave to you the SSH configuration) and it worked.
$ ssh -p xxxxx
Passwort:
You are required to change your password immediately (administrator enforced)
Ändern des Passworts für test.
Current password:
Geben Sie ein neues Passwort ein:
Geben Sie das neue Passwort erneut ein:
$ I asked myself, where is the difference?
What I found is that the /etc/pam.d/sshd file has this line
password include system-remote-loginSo as my service was su-l I added that line to /etc/pam.d/su-l
Then tried again.
$ su - test
Passwort:
You are required to change your password immediately (administrator enforced)
Ändern des Passworts für test.
Current password:
Geben Sie ein neues Passwort ein:
Geben Sie das neue Passwort erneut ein: And it worked!
Conclusion
If you add the following line into /etc/pam.d/login, /etc/pam.d/su-l or other configuration depending on the service you use. The user will be able to change their password on next login.
password include system-remote-loginRecommendation (Edit 1)
In my analysis, I went through but after looking deep into it, I have to admit that even if system-remote-login is working, we should avoid it because it was actually thought for SSH.
So, I recommend anybody who meets this issue to add the following line (instead) into /etc/pam.d/login, /etc/pam.d/su-l or other configuration depending on the service you use.
password include system-local-login 2