SSH works with expired Kerberos Password

ssh pam kerberos

Edit:

Based on the contents of the provided account stack, it looks like pam_krb5.so will be skipped if pam_localuser.so succeeds. This is the most likely cause of the password aging restrictions not being applied.

Here's what we know so far:

  • The logged messages confirm that the user's password has expired.
  • pam_krb5 succeeds in authentication despite this.

I suspect your problem is that you don't have the account stack properly configured. There are a few different implementations of pam_krb5 out there, and not all of them implement the password aging check inside of the auth stack:

http://linux.die.net/man/8/pam_krb5

When a user logs in, the module's authentication function performs a simple password check and, if possible, obtains Kerberos 5 credentials, caching them for later use. When the application requests initialization of credentials (or opens a session), the usual ticket files are created. When the application subsequently requests deletion of credentials or closing of the session, the module deletes the ticket files. When the application requests account management, if the module did not participate in authenticating the user, it will signal libpam to ignore the module. If the module did participate in authenticating the user, it will check for an expired user password and verify the user's authorization using the .k5login file of the user being authenticated, which is expected to be accessible to the module.

The job of the account stack is to enforce access policies, regardless of whether the authentication was successful. This is important, as the auth stack is frequently bypassed when using key based authentication. It is up to individual developers to decide whether password aging should also result in a failure when calling the module in the auth context.

Conversely, the pam_krb5 implementation maintained by Russ Allbery (my preferred one) would have caught this in the auth stack.

https://www.eyrie.org/~eagle/software/pam-krb5/pam-krb5.html

account

Provides an implementation of pam_acct_mgmt(). All it does is do the same authorization check as performed by the pam_authenticate() implementation described above.

Related

APC Smart UPS serial connection on Windows Server 2012 R2
How to fully disable Dynamic DNS on Windows Server?
nginx try_files addheader doesnt work
What does D:2 mean as the drive in a Windows path?
Priming a ZFS L2ARC cache on Solaris 11.3
openvpn: How to not use VPN for domains with multiple IP addresses
debugging stuck apache/php thread on production server
When should I buy cities in Age of Wonders I and when should I not?
Buying Premium Pass in Just Dace 2017 also works for 2018 edition?
Can you transfer game files on Mac to a PC?
can The death aura be used by minions?
What is the frequency of drop items at the end of each game?